Long-Tailed Backdoor Attack Using Dynamic Data Augmentation Operations

TL;DR

This paper introduces D$^2$AO, a novel backdoor attack method tailored for long-tailed datasets, utilizing dynamic data augmentation and sample-specific triggers to enhance attack effectiveness while maintaining model accuracy.

Contribution

The paper pioneers backdoor attack research on long-tailed datasets and proposes D$^2$AO, a dynamic augmentation-based method with sample-specific triggers for improved attack success.

Findings

Achieves state-of-the-art attack performance.

Maintains high clean accuracy.

Effective on imbalanced, long-tailed datasets.

Abstract

Recently, backdoor attack has become an increasing security threat to deep neural networks and drawn the attention of researchers. Backdoor attacks exploit vulnerabilities in third-party pretrained models during the training phase, enabling them to behave normally for clean samples and mispredict for samples with specific triggers. Existing backdoor attacks mainly focus on balanced datasets. However, real-world datasets often follow long-tailed distributions. In this paper, for the first time, we explore backdoor attack on such datasets. Specifically, we first analyze the influence of data imbalance on backdoor attack. Based on our analysis, we propose an effective backdoor attack named Dynamic Data Augmentation Operation (D$^2$AO). We design D$^2$AO selectors to select operations depending jointly on the class, sample type (clean vs. backdoored) and sample features. Meanwhile, we develop a trigger generator to generate sample-specific triggers. Through simultaneous optimization of the backdoored model and trigger generator, guided by dynamic data augmentation operation selectors, we achieve significant advancements. Extensive experiments demonstrate that our method can achieve the state-of-the-art attack performance while preserving the clean accuracy.