A Practical Trigger-Free Backdoor Attack on Neural Networks

TL;DR

This paper introduces a novel trigger-free backdoor attack on neural networks that does not require access to training data, enhancing attack practicality and stealthiness through a fine-tuning approach, knowledge distillation, and parameter importance evaluation.

Contribution

It presents the first trigger-free backdoor attack method that operates without training data, using a new fine-tuning technique and knowledge distillation to improve stealthiness and effectiveness.

Findings

Effective on three real-world datasets

Maintains model performance on benign samples

Enhances attack stealthiness and practicality

Abstract

Backdoor attacks on deep neural networks have emerged as significant security threats, especially as DNNs are increasingly deployed in security-critical applications. However, most existing works assume that the attacker has access to the original training data. This limitation restricts the practicality of launching such attacks in real-world scenarios. Additionally, using a specified trigger to activate the injected backdoor compromises the stealthiness of the attacks. To address these concerns, we propose a trigger-free backdoor attack that does not require access to any training data. Specifically, we design a novel fine-tuning approach that incorporates the concept of malicious data into the concept of the attacker-specified class, resulting the misclassification of trigger-free malicious data into the attacker-specified class. Furthermore, instead of relying on training data to preserve the model's knowledge, we employ knowledge distillation methods to maintain the performance of the infected model on benign samples, and introduce a parameter importance evaluation mechanism based on elastic weight constraints to facilitate the fine-tuning of the infected model. The effectiveness, practicality, and stealthiness of the proposed attack are comprehensively evaluated on three real-world datasets. Furthermore, we explore the potential for enhancing the attack through the use of auxiliary datasets and model inversion.