PatchBackdoor: Backdoor Attack against Deep Neural Networks without   Model Modification

Yizhen Yuan (1); Rui Kong (3); Shenghao Xie (4); Yuanchun Li (1 and; 2); Yunxin Liu (1; 2) ((1) Institute for AI Industry Research (AIR),; Tsinghua University; Beijing; China; (2) Shanghai AI Laboratory; Shanghai,; China; (3) Shanghai Jiao Tong University; Shanghai; China; (4) Wuhan; University; Wuhan; China)

arXiv:2308.11822·cs.LG·August 24, 2023

PatchBackdoor: Backdoor Attack against Deep Neural Networks without Model Modification

Yizhen Yuan (1), Rui Kong (3), Shenghao Xie (4), Yuanchun Li (1 and, 2), Yunxin Liu (1, 2) ((1) Institute for AI Industry Research (AIR),, Tsinghua University, Beijing, China, (2) Shanghai AI Laboratory, Shanghai,, China, (3) Shanghai Jiao Tong University, Shanghai, China

PDF

1 Repo

TL;DR

This paper introduces PatchBackdoor, a novel backdoor attack method that uses a physical patch placed in front of the camera, enabling attack success without modifying the neural network model itself.

Contribution

It presents a new physical backdoor attack approach that does not require model modification, using a trained patch to trigger misclassification in real-world scenarios.

Findings

01

Achieves 93-99% attack success rate on various models

02

Effective in real-world physical environments

03

Does not require model retraining or modification

Abstract

Backdoor attack is a major threat to deep learning systems in safety-critical scenarios, which aims to trigger misbehavior of neural network models under attacker-controlled conditions. However, most backdoor attacks have to modify the neural network models through training with poisoned data and/or direct model editing, which leads to a common but false belief that backdoor attack can be easily avoided by properly protecting the model. In this paper, we show that backdoor attacks can be achieved without any model modification. Instead of injecting backdoor logic into the training data or the model, we propose to place a carefully-designed patch (namely backdoor patch) in front of the camera, which is fed into the model together with the input images. The patch can be trained to behave normally at most of the time, while producing wrong prediction when the input image contains an…

Peer Reviews

No public reviews on file for this paper yet. If you reviewed it on a platform where reviews are public (OpenReview, ICLR, NeurIPS, ICML), you can paste yours below so the community can read it here.

Code & Models

Repositories

xaiveryuan/patchbackdoor
pytorchOfficial

Videos

No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.