Backdooring Outlier Detection Methods: A Novel Attack Approach

TL;DR

This paper introduces BATOD, a novel backdoor attack that specifically targets outlier detection in classifiers, revealing vulnerabilities in open-set performance and surpassing previous attacks in degrading classifier robustness.

Contribution

The study proposes BATOD, a new backdoor attack designed to confuse open-set decision boundaries, addressing a gap in existing attack methods focused on closed-set performance.

Findings

BATOD effectively degrades open-set performance of classifiers.

Existing backdoor attacks are ineffective against outlier detection.

BATOD outperforms previous attacks before and after defenses.

Abstract

There have been several efforts in backdoor attacks, but these have primarily focused on the closed-set performance of classifiers (i.e., classification). This has left a gap in addressing the threat to classifiers' open-set performance, referred to as outlier detection in the literature. Reliable outlier detection is crucial for deploying classifiers in critical real-world applications such as autonomous driving and medical image analysis. First, we show that existing backdoor attacks fall short in affecting the open-set performance of classifiers, as they have been specifically designed to confuse intra-closed-set decision boundaries. In contrast, an effective backdoor attack for outlier detection needs to confuse the decision boundary between the closed and open sets. Motivated by this, in this study, we propose BATOD, a novel Backdoor Attack targeting the Outlier Detection task. Specifically, we design two categories of triggers to shift inlier samples to outliers and vice versa. We evaluate BATOD using various real-world datasets and demonstrate its superior ability to degrade the open-set performance of classifiers compared to previous attacks, both before and after applying defenses.