ReVeil: Unconstrained Concealed Backdoor Attack on Deep Neural Networks using Machine Unlearning

TL;DR

ReVeil is a novel concealed backdoor attack on DNNs that operates during data collection, evades detection, and restores attack success post-deployment using machine unlearning, without requiring model access or auxiliary data.

Contribution

ReVeil introduces a practical, unconstrained backdoor attack method that bypasses existing defenses by targeting the data collection phase and leveraging machine unlearning.

Findings

Maintains low pre-deployment attack success rate across multiple datasets and triggers.

Successfully evades three popular backdoor detection methods.

Restores high attack success rate after deployment through machine unlearning.

Abstract

Backdoor attacks embed hidden functionalities in deep neural networks (DNN), triggering malicious behavior with specific inputs. Advanced defenses monitor anomalous DNN inferences to detect such attacks. However, concealed backdoors evade detection by maintaining a low pre-deployment attack success rate (ASR) and restoring high ASR post-deployment via machine unlearning. Existing concealed backdoors are often constrained by requiring white-box or black-box access or auxiliary data, limiting their practicality when such access or data is unavailable. This paper introduces ReVeil, a concealed backdoor attack targeting the data collection phase of the DNN training pipeline, requiring no model access or auxiliary data. ReVeil maintains low pre-deployment ASR across four datasets and four trigger patterns, successfully evades three popular backdoor detection methods, and restores high ASR post-deployment through machine unlearning.