An Effective and Resilient Backdoor Attack Framework against Deep Neural Networks and Vision Transformers

TL;DR

This paper introduces a novel backdoor attack framework that optimizes trigger shape, location, and transparency, enhancing attack success rate and naturalness of poisoned samples while maintaining robustness against defenses.

Contribution

It proposes an attention-based trigger generation, QoE-aware loss adjustment, and an alternating retraining algorithm, extending the attack to both DNNs and vision transformers.

Findings

Achieves up to 82% higher attack success rate over baselines.

Produces more natural backdoored samples with high QoE.

Remains effective against state-of-the-art defenses.

Abstract

Recent studies have revealed the vulnerability of Deep Neural Network (DNN) models to backdoor attacks. However, existing backdoor attacks arbitrarily set the trigger mask or use a randomly selected trigger, which restricts the effectiveness and robustness of the generated backdoor triggers. In this paper, we propose a novel attention-based mask generation methodology that searches for the optimal trigger shape and location. We also introduce a Quality-of-Experience (QoE) term into the loss function and carefully adjust the transparency value of the trigger in order to make the backdoored samples to be more natural. To further improve the prediction accuracy of the victim model, we propose an alternating retraining algorithm in the backdoor injection process. The victim model is retrained with mixed poisoned datasets in even iterations and with only benign samples in odd iterations. Besides, we launch the backdoor attack under a co-optimized attack framework that alternately optimizes the backdoor trigger and backdoored model to further improve the attack performance. Apart from DNN models, we also extend our proposed attack method against vision transformers. We evaluate our proposed method with extensive experiments on VGG-Flower, CIFAR-10, GTSRB, CIFAR-100, and ImageNette datasets. It is shown that we can increase the attack success rate by as much as 82\% over baselines when the poison ratio is low and achieve a high QoE of the backdoored samples. Our proposed backdoor attack framework also showcases robustness against state-of-the-art backdoor defenses.