Imperceptible and Multi-channel Backdoor Attack against Deep Neural Networks

TL;DR

This paper introduces a novel, imperceptible multi-channel backdoor attack on DNNs using DCT steganography, achieving high success rates without affecting model accuracy and resisting existing defenses.

Contribution

It proposes a new multi-channel, multi-target backdoor attack method leveraging DCT steganography, enhancing stealth and robustness against defenses.

Findings

Achieves over 90% attack success rate on CIFAR-10 and TinyImageNet datasets.

Maintains classification accuracy despite the backdoor attack.

Resists state-of-the-art backdoor defense methods like Neural Cleanse.

Abstract

Recent researches demonstrate that Deep Neural Networks (DNN) models are vulnerable to backdoor attacks. The backdoored DNN model will behave maliciously when images containing backdoor triggers arrive. To date, existing backdoor attacks are single-trigger and single-target attacks, and the triggers of most existing backdoor attacks are obvious thus are easy to be detected or noticed. In this paper, we propose a novel imperceptible and multi-channel backdoor attack against Deep Neural Networks by exploiting Discrete Cosine Transform (DCT) steganography. Based on the proposed backdoor attack method, we implement two variants of backdoor attacks, i.e., N-to-N backdoor attack and N-to-One backdoor attack. Specifically, for a colored image, we utilize DCT steganography to construct the trigger on different channels of the image. As a result, the trigger is stealthy and natural. Based on the proposed method, we implement multi-target and multi-trigger backdoor attacks. Experimental results demonstrate that the average attack success rate of the N-to-N backdoor attack is 93.95% on CIFAR-10 dataset and 91.55% on TinyImageNet dataset, respectively. The average attack success rate of N-to-One attack is 90.22% and 89.53% on CIFAR-10 and TinyImageNet datasets, respectively. Meanwhile, the proposed backdoor attack does not affect the classification accuracy of the DNN model. Moreover, the proposed attack is demonstrated to be robust to the state-of-the-art backdoor defense (Neural Cleanse).