INK: Inheritable Natural Backdoor Attack Against Model Distillation

TL;DR

INK introduces a novel backdoor attack leveraging natural dataset features, enabling stealthy, high-success attacks against model distillation even with defenses, by using image variance as a trigger.

Contribution

The paper presents INK, a natural backdoor attack that exploits inherent dataset features to bypass defenses during model distillation, a novel approach in backdoor attack research.

Findings

Achieves over 98% attack success rate post-distillation.

Maintains robustness against various defense strategies.

Outperforms existing methods with a success rate of 1.4%.

Abstract

Deep learning models are vulnerable to backdoor attacks, where attackers inject malicious behavior through data poisoning and later exploit triggers to manipulate deployed models. To improve the stealth and effectiveness of backdoors, prior studies have introduced various imperceptible attack methods targeting both defense mechanisms and manual inspection. However, all poisoning-based attacks still rely on privileged access to the training dataset. Consequently, model distillation using a trusted dataset has emerged as an effective defense against these attacks. To bridge this gap, we introduce INK, an inheritable natural backdoor attack that targets model distillation. The key insight behind INK is the use of naturally occurring statistical features in all datasets, allowing attackers to leverage them as backdoor triggers without direct access to the training data. Specifically, INK employs image variance as a backdoor trigger and enables both clean-image and clean-label attacks by manipulating the labels and image variance in an unauthenticated dataset. Once the backdoor is embedded, it transfers from the teacher model to the student model, even when defenders use a trusted dataset for distillation. Theoretical analysis and experimental results demonstrate the robustness of INK against transformation-based, search-based, and distillation-based defenses. For instance, INK maintains an attack success rate of over 98\% post-distillation, compared to an average success rate of 1.4\% for existing methods.