Breaking the Stealth-Potency Trade-off in Clean-Image Backdoors with Generative Trigger Optimization

TL;DR

This paper introduces GCB, a novel framework using generative models to create stealthy triggers for clean-image backdoors, significantly reducing accuracy loss and demonstrating versatility across multiple datasets and tasks.

Contribution

The paper proposes a new generative trigger optimization method that minimizes accuracy degradation and enhances stealthiness in clean-image backdoor attacks.

Findings

Achieves less than 1% drop in clean accuracy

Successfully applies to six datasets, five architectures, and four tasks

Demonstrates robustness against existing defenses

Abstract

Clean-image backdoor attacks, which use only label manipulation in training datasets to compromise deep neural networks, pose a significant threat to security-critical applications. A critical flaw in existing methods is that the poison rate required for a successful attack induces a proportional, and thus noticeable, drop in Clean Accuracy (CA), undermining their stealthiness. This paper presents a new paradigm for clean-image attacks that minimizes this accuracy degradation by optimizing the trigger itself. We introduce Generative Clean-Image Backdoors (GCB), a framework that uses a conditional InfoGAN to identify naturally occurring image features that can serve as potent and stealthy triggers. By ensuring these triggers are easily separable from benign task-related features, GCB enables a victim model to learn the backdoor from an extremely small set of poisoned examples, resulting in a CA drop of less than 1%. Our experiments demonstrate GCB's remarkable versatility, successfully adapting to six datasets, five architectures, and four tasks, including the first demonstration of clean-image backdoors in regression and segmentation. GCB also exhibits resilience against most of the existing backdoor defenses.