One-to-Multiple Clean-Label Image Camouflage (OmClic) based Backdoor Attack on Deep Learning

TL;DR

This paper introduces OmClic, a novel clean-label backdoor attack that crafts a single camouflage image effective across multiple input sizes, reducing attack costs and increasing transferability.

Contribution

OmClic is the first attack that constructs a single image fitting multiple input sizes simultaneously, enabling efficient backdoor implantation across diverse models with a unified poisoned image.

Findings

OmClic successfully targets 5 input sizes with one image.

High attack success rates achieved across various models and input sizes.

Reduced attack budget by a factor of M compared to previous methods.

Abstract

Image camouflage has been utilized to create clean-label poisoned images for implanting backdoor into a DL model. But there exists a crucial limitation that one attack/poisoned image can only fit a single input size of the DL model, which greatly increases its attack budget when attacking multiple commonly adopted input sizes of DL models. This work proposes to constructively craft an attack image through camouflaging but can fit multiple DL models' input sizes simultaneously, namely OmClic. Thus, through OmClic, we are able to always implant a backdoor regardless of which common input size is chosen by the user to train the DL model given the same attack budget (i.e., a fraction of the poisoning rate). With our camouflaging algorithm formulated as a multi-objective optimization, M=5 input sizes can be concurrently targeted with one attack image, which artifact is retained to be almost visually imperceptible at the same time. Extensive evaluations validate the proposed OmClic can reliably succeed in various settings using diverse types of images. Further experiments on OmClic based backdoor insertion to DL models show that high backdoor performances (i.e., attack success rate and clean data accuracy) are achievable no matter which common input size is randomly chosen by the user to train the model. So that the OmClic based backdoor attack budget is reduced by M$\times$ compared to the state-of-the-art camouflage based backdoor attack as a baseline. Significantly, the same set of OmClic based poisonous attack images is transferable to different model architectures for backdoor implant.