Silent Killer: A Stealthy, Clean-Label, Black-Box Backdoor Attack

TL;DR

Silent Killer introduces a stealthy, clean-label, black-box backdoor attack that leverages universal adversarial perturbations, achieving high success rates and outperforming existing methods across multiple datasets.

Contribution

It presents a novel attack method using universal adversarial perturbations in clean-label, black-box settings, with gradient alignment for high success.

Findings

Achieves state-of-the-art success rates on MNIST, CIFAR10, and ImageNet.

Uses universal adversarial perturbations as triggers for stealthy attacks.

Outperforms existing backdoor attack methods in various threat models.

Abstract

Backdoor poisoning attacks pose a well-known risk to neural networks. However, most studies have focused on lenient threat models. We introduce Silent Killer, a novel attack that operates in clean-label, black-box settings, uses a stealthy poison and trigger and outperforms existing methods. We investigate the use of universal adversarial perturbations as triggers in clean-label attacks, following the success of such approaches under poison-label settings. We analyze the success of a naive adaptation and find that gradient alignment for crafting the poison is required to ensure high success rates. We conduct thorough experiments on MNIST, CIFAR10, and a reduced version of ImageNet and achieve state-of-the-art results.