Generalization Bound and New Algorithm for Clean-Label Backdoor Attack

TL;DR

This paper establishes the first generalization bounds for clean-label backdoor attacks and introduces a novel attack method combining adversarial noise with indiscriminate poisoning, demonstrating its effectiveness.

Contribution

It provides the first theoretical generalization bounds for backdoor attacks and proposes a new attack algorithm based on these insights.

Findings

Derived upper bounds for population errors in backdoor scenarios

Proposed a new attack method combining adversarial noise and indiscriminate poisoning

Demonstrated effectiveness of the new attack in various settings

Abstract

The generalization bound is a crucial theoretical tool for assessing the generalizability of learning methods and there exist vast literatures on generalizability of normal learning, adversarial learning, and data poisoning. Unlike other data poison attacks, the backdoor attack has the special property that the poisoned triggers are contained in both the training set and the test set and the purpose of the attack is two-fold. To our knowledge, the generalization bound for the backdoor attack has not been established. In this paper, we fill this gap by deriving algorithm-independent generalization bounds in the clean-label backdoor attack scenario. Precisely, based on the goals of backdoor attack, we give upper bounds for the clean sample population errors and the poison population errors in terms of the empirical error on the poisoned training dataset. Furthermore, based on the theoretical result, a new clean-label backdoor attack is proposed that computes the poisoning trigger by combining adversarial noise and indiscriminate poison. We show its effectiveness in a variety of settings.