DFB: A Data-Free, Low-Budget, and High-Efficacy Clean-Label Backdoor Attack

TL;DR

This paper introduces DFB, a novel clean-label backdoor attack method that is data-free, low-cost, and highly effective, even with minimal poisoning rates, challenging existing defenses and not requiring access to training data.

Contribution

DFB is the first clean-label backdoor attack that operates without training data access, relying only on target class knowledge, and achieves superior success rates with minimal poisoning.

Findings

DFB achieves high attack success rates with very low poisoning rates.

DFB outperforms existing methods like LC, HTBA, BadNets, and Blend.

DFB effectively bypasses four established backdoor defenses.

Abstract

In the domain of backdoor attacks, accurate labeling of injected data is essential for evading rudimentary detection mechanisms. This imperative has catalyzed the development of clean-label attacks, which are notably more elusive as they preserve the original labels of the injected data. Current clean-label attack methodologies primarily depend on extensive knowledge of the training dataset. However, practically, such comprehensive dataset access is often unattainable, given that training datasets are typically compiled from various independent sources. Departing from conventional clean-label attack methodologies, our research introduces DFB, a data-free, low-budget, and high-efficacy clean-label backdoor Attack. DFB is unique in its independence from training data access, requiring solely the knowledge of a specific target class. Tested on CIFAR10, Tiny-ImageNet, and TSRD, DFB demonstrates remarkable efficacy with minimal poisoning rates of just 0.1%, 0.025%, and 0.4%, respectively. These rates are significantly lower than those required by existing methods such as LC, HTBA, BadNets, and Blend, yet DFB achieves superior attack success rates. Furthermore, our findings reveal that DFB poses a formidable challenge to four established backdoor defense algorithms, indicating its potential as a robust tool in advanced clean-label attack strategies.