CUBA: Controlled Untargeted Backdoor Attack against Deep Neural Networks

TL;DR

This paper introduces CUBA, a novel controlled untargeted backdoor attack on deep neural networks that evades existing defenses by classifying backdoor inputs into random classes within a constrained range.

Contribution

The paper proposes a new untargeted backdoor attack method that combines randomness with targeted constraints, and demonstrates its effectiveness against current defenses.

Findings

CUBA effectively circumvents existing backdoor defenses.

The attack achieves high success rates across multiple datasets.

Logit normalization enables controlled untargeted backdoor behavior.

Abstract

Backdoor attacks have emerged as a critical security threat against deep neural networks in recent years. The majority of existing backdoor attacks focus on targeted backdoor attacks, where trigger is strongly associated to specific malicious behavior. Various backdoor detection methods depend on this inherent property and shows effective results in identifying and mitigating such targeted attacks. However, a purely untargeted attack in backdoor scenarios is, in some sense, self-weakening, since the target nature is what makes backdoor attacks so powerful. In light of this, we introduce a novel Constrained Untargeted Backdoor Attack (CUBA), which combines the flexibility of untargeted attacks with the intentionality of targeted attacks. The compromised model, when presented with backdoor images, will classify them into random classes within a constrained range of target classes selected by the attacker. This combination of randomness and determinedness enables the proposed untargeted backdoor attack to natively circumvent existing backdoor defense methods. To implement the untargeted backdoor attack under controlled flexibility, we propose to apply logit normalization on cross-entropy loss with flipped one-hot labels. By constraining the logit during training, the compromised model will show a uniform distribution across selected target classes, resulting in controlled untargeted attack. Extensive experiments demonstrate the effectiveness of the proposed CUBA on different datasets.