Towards Backdoor Stealthiness in Model Parameter Space

TL;DR

This paper reveals that backdoor attacks stealthy in input and feature spaces can be detected in parameter space, and introduces Grond, a novel supply-chain attack that enhances stealthiness and effectiveness across multiple defenses.

Contribution

It uncovers a vulnerability in current backdoor attacks in parameter space and proposes Grond with ABI to improve stealthiness and attack success against diverse defenses.

Findings

Backdoor attacks in parameter space can be mitigated by examining model parameters.

Grond outperforms existing attacks against state-of-the-art defenses on multiple datasets.

ABI enhances the effectiveness of various backdoor attacks.

Abstract

Recent research on backdoor stealthiness focuses mainly on indistinguishable triggers in input space and inseparable backdoor representations in feature space, aiming to circumvent backdoor defenses that examine these respective spaces. However, existing backdoor attacks are typically designed to resist a specific type of backdoor defense without considering the diverse range of defense mechanisms. Based on this observation, we pose a natural question: Are current backdoor attacks truly a real-world threat when facing diverse practical defenses? To answer this question, we examine 12 common backdoor attacks that focus on input-space or feature-space stealthiness and 17 diverse representative defenses. Surprisingly, we reveal a critical blind spot: Backdoor attacks designed to be stealthy in input and feature spaces can be mitigated by examining backdoored models in parameter space. To investigate the underlying causes behind this common vulnerability, we study the characteristics of backdoor attacks in the parameter space. Notably, we find that input- and feature-space attacks introduce prominent backdoor-related neurons in parameter space, which are not thoroughly considered by current backdoor attacks. Taking comprehensive stealthiness into account, we propose a novel supply-chain attack called Grond. Grond limits the parameter changes by a simple yet effective module, Adversarial Backdoor Injection (ABI), which adaptively increases the parameter-space stealthiness during the backdoor injection. Extensive experiments demonstrate that Grond outperforms all 12 backdoor attacks against state-of-the-art (including adaptive) defenses on CIFAR-10, GTSRB, and a subset of ImageNet. In addition, we show that ABI consistently improves the effectiveness of common backdoor attacks.