Hardly Perceptible Trojan Attack against Neural Networks with Bit Flips

TL;DR

This paper introduces a novel Trojan attack on neural networks that creates nearly imperceptible trigger images using noise and pixel flow, achieving effective attacks without obvious patches.

Contribution

The paper proposes the hardly perceptible Trojan attack (HPT) that generates subtle trigger images by optimizing noise and pixel flow, improving stealthiness over existing patch-based methods.

Findings

HPT produces nearly imperceptible Trojan images.

HPT achieves comparable or better attack success rates.

Effective optimization algorithm handles binary weight constraints.

Abstract

The security of deep neural networks (DNNs) has attracted increasing attention due to their widespread use in various applications. Recently, the deployed DNNs have been demonstrated to be vulnerable to Trojan attacks, which manipulate model parameters with bit flips to inject a hidden behavior and activate it by a specific trigger pattern. However, all existing Trojan attacks adopt noticeable patch-based triggers (e.g., a square pattern), making them perceptible to humans and easy to be spotted by machines. In this paper, we present a novel attack, namely hardly perceptible Trojan attack (HPT). HPT crafts hardly perceptible Trojan images by utilizing the additive noise and per pixel flow field to tweak the pixel values and positions of the original images, respectively. To achieve superior attack performance, we propose to jointly optimize bit flips, additive noise, and flow field. Since the weight bits of the DNNs are binary, this problem is very hard to be solved. We handle the binary constraint with equivalent replacement and provide an effective optimization algorithm. Extensive experiments on CIFAR-10, SVHN, and ImageNet datasets show that the proposed HPT can generate hardly perceptible Trojan images, while achieving comparable or better attack performance compared to the state-of-the-art methods. The code is available at: https://github.com/jiawangbai/HPT.