CatBack: Universal Backdoor Attacks on Tabular Data via Categorical Encoding

TL;DR

This paper introduces a novel backdoor attack on tabular data that effectively manipulates models using a universal gradient-based perturbation, highlighting a significant security vulnerability in machine learning systems handling mixed data types.

Contribution

The paper presents a new technique to convert categorical data into floating-point representations for backdoor attacks, enabling a universal attack applicable to various features and models.

Findings

Achieves up to 100% attack success rate in multiple settings

Outperforms previous methods like Tabdoor in effectiveness

Successfully bypasses several state-of-the-art defenses

Abstract

Backdoor attacks in machine learning have drawn significant attention for their potential to compromise models stealthily, yet most research has focused on homogeneous data such as images. In this work, we propose a novel backdoor attack on tabular data, which is particularly challenging due to the presence of both numerical and categorical features. Our key idea is a novel technique to convert categorical values into floating-point representations. This approach preserves enough information to maintain clean-model accuracy compared to traditional methods like one-hot or ordinal encoding. By doing this, we create a gradient-based universal perturbation that applies to all features, including categorical ones. We evaluate our method on five datasets and four popular models. Our results show up to a 100% attack success rate in both white-box and black-box settings (including real-world applications like Vertex AI), revealing a severe vulnerability for tabular data. Our method is shown to surpass the previous works like Tabdoor in terms of performance, while remaining stealthy against state-of-the-art defense mechanisms. We evaluate our attack against Spectral Signatures, Neural Cleanse, Beatrix, and Fine-Pruning, all of which fail to defend successfully against it. We also verify that our attack successfully bypasses popular outlier detection mechanisms.