Enhancing Clean Label Backdoor Attack with Two-phase Specific Triggers

TL;DR

This paper introduces a two-phase, image-specific trigger generation method to improve the stealthiness and effectiveness of clean-label backdoor attacks on deep neural networks, achieving high success rates with low poisoning rates.

Contribution

It presents a novel two-phase, image-specific trigger generation approach that enhances attack success and stealthiness in clean-label backdoor attacks.

Findings

Achieves 98.98% attack success rate.

Maintains low poisoning rate of 5%.

Resistant to existing backdoor defenses.

Abstract

Backdoor attacks threaten Deep Neural Networks (DNNs). Towards stealthiness, researchers propose clean-label backdoor attacks, which require the adversaries not to alter the labels of the poisoned training datasets. Clean-label settings make the attack more stealthy due to the correct image-label pairs, but some problems still exist: first, traditional methods for poisoning training data are ineffective; second, traditional triggers are not stealthy which are still perceptible. To solve these problems, we propose a two-phase and image-specific triggers generation method to enhance clean-label backdoor attacks. Our methods are (1) powerful: our triggers can both promote the two phases (i.e., the backdoor implantation and activation phase) in backdoor attacks simultaneously; (2) stealthy: our triggers are generated from each image. They are image-specific instead of fixed triggers. Extensive experiments demonstrate that our approach can achieve a fantastic attack success rate~(98.98%) with low poisoning rate~(5%), high stealthiness under many evaluation metrics and is resistant to backdoor defense methods.