Data-Efficient Backdoor Attacks

TL;DR

This paper introduces a novel data selection strategy for backdoor attacks on neural networks, significantly reducing the number of poisoned samples needed while maintaining attack success, and demonstrating strong transferability across settings.

Contribution

It formulates poisoned data selection as an optimization problem and proposes the Filtering-and-Updating Strategy (FUS) to improve data efficiency in backdoor attacks.

Findings

Achieves the same attack success rate with only 47-75% of poisoned samples compared to random selection.

Demonstrates strong transferability of selected poisoned samples across different attack settings.

Effective on datasets like CIFAR-10 and ImageNet-10.

Abstract

Recent studies have proven that deep neural networks are vulnerable to backdoor attacks. Specifically, by mixing a small number of poisoned samples into the training set, the behavior of the trained model can be maliciously controlled. Existing attack methods construct such adversaries by randomly selecting some clean data from the benign set and then embedding a trigger into them. However, this selection strategy ignores the fact that each poisoned sample contributes inequally to the backdoor injection, which reduces the efficiency of poisoning. In this paper, we formulate improving the poisoned data efficiency by the selection as an optimization problem and propose a Filtering-and-Updating Strategy (FUS) to solve it. The experimental results on CIFAR-10 and ImageNet-10 indicate that the proposed method is effective: the same attack success rate can be achieved with only 47% to 75% of the poisoned sample volume compared to the random selection strategy. More importantly, the adversaries selected according to one setting can generalize well to other settings, exhibiting strong transferability. The prototype code of our method is now available at https://github.com/xpf/Data-Efficient-Backdoor-Attacks.