BATT: Backdoor Attack with Transformation-based Triggers

TL;DR

This paper introduces a novel backdoor attack using specific spatial transformations like rotation and translation as triggers, demonstrating its effectiveness and resistance to defenses in both digital and physical environments.

Contribution

It presents a new backdoor attack method leveraging classical spatial transformations as triggers, which is effective and robust against existing defenses.

Findings

Effective backdoor activation with specific rotation angles.

Resistant to current backdoor defense mechanisms.

Works in both digital and physical scenarios.

Abstract

Deep neural networks (DNNs) are vulnerable to backdoor attacks. The backdoor adversaries intend to maliciously control the predictions of attacked DNNs by injecting hidden backdoors that can be activated by adversary-specified trigger patterns during the training process. One recent research revealed that most of the existing attacks failed in the real physical world since the trigger contained in the digitized test samples may be different from that of the one used for training. Accordingly, users can adopt spatial transformations as the image pre-processing to deactivate hidden backdoors. In this paper, we explore the previous findings from another side. We exploit classical spatial transformations (i.e. rotation and translation) with the specific parameter as trigger patterns to design a simple yet effective poisoning-based backdoor attack. For example, only images rotated to a particular angle can activate the embedded backdoor of attacked DNNs. Extensive experiments are conducted, verifying the effectiveness of our attack under both digital and physical settings and its resistance to existing backdoor defenses.