A Dual Stealthy Backdoor: From Both Spatial and Frequency Perspectives

TL;DR

This paper introduces DUBA, a dual stealthy backdoor attack that embeds triggers in both spatial and frequency domains, significantly improving attack success and stealthiness against image classifiers.

Contribution

The paper proposes a novel backdoor attack method considering both spatial and frequency domain invisibility, enhancing stealthiness and attack effectiveness over existing methods.

Findings

DUBA achieves higher attack success rates than state-of-the-art methods.

DUBA's triggers are more difficult to detect using current defenses.

Extensive evaluations on four datasets validate DUBA's superior performance.

Abstract

Backdoor attacks pose serious security threats to deep neural networks (DNNs). Backdoored models make arbitrarily (targeted) incorrect predictions on inputs embedded with well-designed triggers while behaving normally on clean inputs. Many works have explored the invisibility of backdoor triggers to improve attack stealthiness. However, most of them only consider the invisibility in the spatial domain without explicitly accounting for the generation of invisible triggers in the frequency domain, making the generated poisoned images be easily detected by recent defense methods. To address this issue, in this paper, we propose a DUal stealthy BAckdoor attack method named DUBA, which simultaneously considers the invisibility of triggers in both the spatial and frequency domains, to achieve desirable attack performance, while ensuring strong stealthiness. Specifically, we first use Discrete Wavelet Transform to embed the high-frequency information of the trigger image into the clean image to ensure attack effectiveness. Then, to attain strong stealthiness, we incorporate Fourier Transform and Discrete Cosine Transform to mix the poisoned image and clean image in the frequency domain. Moreover, the proposed DUBA adopts a novel attack strategy, in which the model is trained with weak triggers and attacked with strong triggers to further enhance the attack performance and stealthiness. We extensively evaluate DUBA against popular image classifiers on four datasets. The results demonstrate that it significantly outperforms the state-of-the-art backdoor attacks in terms of the attack success rate and stealthiness