FRIB: Low-poisoning Rate Invisible Backdoor Attack based on Feature Repair

TL;DR

FRIB introduces a novel feature repair technique using blind watermarking to enable low-poisoning rate invisible backdoor attacks, significantly improving success rates across multiple datasets.

Contribution

The paper proposes the first feature repair method for invisible backdoor attacks, enhancing attack effectiveness at low poisoning rates through blind watermark-based poisoned feature restoration.

Findings

Achieves high backdoor attack success rates with low poisoning rates.

Effective across MNIST, CIFAR10, GTSRB, and ImageNet datasets.

Enhances the mapping relationship between triggers and labels.

Abstract

During the generation of invisible backdoor attack poisoned data, the feature space transformation operation tends to cause the loss of some poisoned features and weakens the mapping relationship between source images with triggers and target labels, resulting in the need for a higher poisoning rate to achieve the corresponding backdoor attack success rate. To solve the above problems, we propose the idea of feature repair for the first time and introduce the blind watermark technique to repair the poisoned features lost during the generation of poisoned data. Under the premise of ensuring consistent labeling, we propose a low-poisoning rate invisible backdoor attack based on feature repair, named FRIB. Benefiting from the above design concept, the new method enhances the mapping relationship between the source images with triggers and the target labels, and increases the degree of misleading DNNs, thus achieving a high backdoor attack success rate with a very low poisoning rate. Ultimately, the detailed experimental results show that the goal of achieving a high success rate of backdoor attacks with a very low poisoning rate is achieved on all MNIST, CIFAR10, GTSRB, and ImageNet datasets.