LSP Framework: A Compensatory Model for Defeating Trigger Reverse Engineering via Label Smoothing Poisoning

TL;DR

This paper introduces the LSP framework, which uses label smoothing poisoning to manipulate classification confidence in neural networks, effectively defeating trigger reverse engineering backdoor defenses.

Contribution

It presents a novel perspective and a compensatory model for defeating trigger reverse engineering through label smoothing poisoning, enhancing backdoor attack robustness.

Findings

LSP effectively defeats state-of-the-art trigger reverse engineering defenses.

The framework is compatible with various backdoor attack methods.

Experimental results show high success rate in bypassing defenses.

Abstract

Deep neural networks are vulnerable to backdoor attacks. Among the existing backdoor defense methods, trigger reverse engineering based approaches, which reconstruct the backdoor triggers via optimizations, are the most versatile and effective ones compared to other types of methods. In this paper, we summarize and construct a generic paradigm for the typical trigger reverse engineering process. Based on this paradigm, we propose a new perspective to defeat trigger reverse engineering by manipulating the classification confidence of backdoor samples. To determine the specific modifications of classification confidence, we propose a compensatory model to compute the lower bound of the modification. With proper modifications, the backdoor attack can easily bypass the trigger reverse engineering based methods. To achieve this objective, we propose a Label Smoothing Poisoning (LSP) framework, which leverages label smoothing to specifically manipulate the classification confidences of backdoor samples. Extensive experiments demonstrate that the proposed work can defeat the state-of-the-art trigger reverse engineering based methods, and possess good compatibility with a variety of existing backdoor attacks.