Influencer Backdoor Attack on Semantic Segmentation
Haoheng Lan, Jindong Gu, Philip Torr, Hengshuang Zhao
TL;DR
This paper introduces a novel backdoor attack method on semantic segmentation models, demonstrating how malicious triggers can cause misclassification of specific classes while preserving overall accuracy, highlighting security vulnerabilities.
Contribution
The work pioneers backdoor attack techniques tailored for semantic segmentation, proposing effective trigger injection strategies and demonstrating real-world attack feasibility.
Findings
Segmentation models are vulnerable to backdoor attacks.
Proposed trigger strategies improve attack success rates.
Backdoor attacks can be effective without degrading overall model accuracy.
Abstract
When a small number of poisoned samples are injected into the training dataset of a deep neural network, the network can be induced to exhibit malicious behavior during inferences, which poses potential threats to real-world applications. While they have been intensively studied in classification, backdoor attacks on semantic segmentation have been largely overlooked. Unlike classification, semantic segmentation aims to classify every pixel within a given image. In this work, we explore backdoor attacks on segmentation models to misclassify all pixels of a victim class by injecting a specific trigger on non-victim pixels during inferences, which is dubbed Influencer Backdoor Attack (IBA). IBA is expected to maintain the classification accuracy of non-victim pixels and mislead classifications of all victim pixels in every single inference and could be easily applied to real-world scenes.…
Peer Reviews
Decision·ICLR 2024 spotlight
- Backdoor attacks for semantic segmentation models are an interesting threat model, apparently underexplored in prior works, and the paper fills this gap. - The proposed methods are effective in the experimental evaluation on several architectures and datasets, and even in the real-world scenes. In particular, PRL improves the poisoning rate necessary to achieve high success rate. - The paper provides extensive ablation studies on the parameters of the proposed attacks to support the design c
- It is not clear why, by default, the triggers are constrained to overlap with pixels of a single class only (if I understand it correctly, this happens both at training and test time): this seems a less natural choice than using a random position regardless of the class of the covered pixels. App. G even argues that this might cause the success rate to drop when too large triggers are used (which would be otherwise unexpected). - Testing the proposed attacks on more recent and effective backb
- The paper introduces backdoor attacks in the context of semantic segmentation, a topic more closely related to AI applications than previous backdoor endeavors. - The authors provide a robust formulation of backdoor attacks for semantic segmentations. - The experimental results are striking, with a 95% attack success rate after poisoning only 10% of the VOC training set, which is quite remarkable.
- The paper did not provide experiments in the real-world. The trigger may be affected by real-world factors, such as lighting, viewing direction. - The trigger employed in this paper is sizable and conspicuous. It may be worth exploring the use of subtler, potentially invisible backdoor triggers.
1. The attack scenario has some practicality. The authors propose a novel attack task and reveal the impact of trigger proximity on the attack of the segmentation model. 2. the related work is presented exhaustively. The article provides an exhaustive review of related work and provides the reader with a historical background of research in this area.
1. The authors claim to be the first backdoor attack work on segmentation models, but in my opinion this is not the case. In fact, there have been some discussions about backdoors for segmentation models, e.g., [1], [2], and the authors should differentiate and compare with the above methods and demonstrate the advantages of the method. 2. poisoning triggers are not realistic and require extremely high poisoning rates for effective backdoor attacks. Firstly, the presentation of the trigger in Fi
Code & Models
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsAdversarial Robustness in Machine Learning