Dynamic Mask-Based Backdoor Attack Against Vision AI Models: A Case Study on Mushroom Detection

TL;DR

This paper introduces a novel dynamic mask-based backdoor attack on object detection models, demonstrating high success rates and stealthiness, especially in critical domains like mushroom detection, highlighting urgent security concerns.

Contribution

The work presents a new dynamic mask-based backdoor attack method utilizing SAM for trigger placement, surpassing traditional static pattern approaches, and emphasizes the risks in real-life applications.

Findings

High attack success rates on poisoned samples

Maintains high accuracy on clean data

Surpasses traditional static backdoor methods

Abstract

Deep learning has revolutionized numerous tasks within the computer vision field, including image classification, image segmentation, and object detection. However, the increasing deployment of deep learning models has exposed them to various adversarial attacks, including backdoor attacks. This paper presents a novel dynamic mask-based backdoor attack method, specifically designed for object detection models. We exploit a dataset poisoning technique to embed a malicious trigger, rendering any models trained on this compromised dataset vulnerable to our backdoor attack. We particularly focus on a mushroom detection dataset to demonstrate the practical risks posed by such attacks on critical real-life domains. Our work also emphasizes the importance of creating a detailed backdoor attack scenario to illustrate the significant risks associated with the outsourcing practice. Our approach leverages SAM, a recent and powerful image segmentation AI model, to create masks for dynamic trigger placement, introducing a new and stealthy attack method. Through extensive experimentation, we show that our sophisticated attack scenario maintains high accuracy on clean data with the YOLOv7 object detection model while achieving high attack success rates on poisoned samples. Our approach surpasses traditional methods for backdoor injection, which are based on static and consistent patterns. Our findings underscore the urgent need for robust countermeasures to protect deep learning models from these evolving adversarial threats.