BadSAD: Clean-Label Backdoor Attacks against Deep Semi-Supervised Anomaly Detection

TL;DR

This paper introduces BadSAD, a new backdoor attack framework targeting Deep Semi-Supervised Anomaly Detection models, demonstrating significant security vulnerabilities through effective trigger injection and latent space manipulation.

Contribution

The paper presents a novel backdoor attack method specifically designed for DeepSAD models, combining trigger embedding and latent space clustering to evade detection.

Findings

Effective backdoor attack demonstrated on benchmark datasets

Severe security risks identified for deep anomaly detection systems

Trigger embedding and latent manipulation successfully evade defenses

Abstract

Image anomaly detection (IAD) is essential in applications such as industrial inspection, medical imaging, and security. Despite the progress achieved with deep learning models like Deep Semi-Supervised Anomaly Detection (DeepSAD), these models remain susceptible to backdoor attacks, presenting significant security challenges. In this paper, we introduce BadSAD, a novel backdoor attack framework specifically designed to target DeepSAD models. Our approach involves two key phases: trigger injection, where subtle triggers are embedded into normal images, and latent space manipulation, which positions and clusters the poisoned images near normal images to make the triggers appear benign. Extensive experiments on benchmark datasets validate the effectiveness of our attack strategy, highlighting the severe risks that backdoor attacks pose to deep learning-based anomaly detection systems.