Megatron: Evasive Clean-Label Backdoor Attacks against Vision Transformer

TL;DR

This paper introduces Megatron, a novel clean-label backdoor attack on vision transformers that uses attention-based triggers, achieving high success rates and evading existing defenses without label manipulation.

Contribution

The paper proposes a new attention-guided backdoor attack method for vision transformers that does not require label manipulation, enhancing attack success and evasiveness.

Findings

Achieves over 90% attack success rate on multiple datasets.

Outperforms baseline methods in evading human inspection and defenses.

Effective even with trigger position shifts during testing.

Abstract

Vision transformers have achieved impressive performance in various vision-related tasks, but their vulnerability to backdoor attacks is under-explored. A handful of existing works focus on dirty-label attacks with wrongly-labeled poisoned training samples, which may fail if a benign model trainer corrects the labels. In this paper, we propose Megatron, an evasive clean-label backdoor attack against vision transformers, where the attacker injects the backdoor without manipulating the data-labeling process. To generate an effective trigger, we customize two loss terms based on the attention mechanism used in transformer networks, i.e., latent loss and attention diffusion loss. The latent loss aligns the last attention layer between triggered samples and clean samples of the target label. The attention diffusion loss emphasizes the attention diffusion area that encompasses the trigger. A theoretical analysis is provided to underpin the rationale behind the attention diffusion loss. Extensive experiments on CIFAR-10, GTSRB, CIFAR-100, and Tiny ImageNet demonstrate the effectiveness of Megatron. Megatron can achieve attack success rates of over 90% even when the position of the trigger is slightly shifted during testing. Furthermore, Megatron achieves better evasiveness than baselines regarding both human visual inspection and defense strategies (i.e., DBAVT, BAVT, Beatrix, TeCo, and SAGE).