Invisible Clean-Label Backdoor Attacks for Generative Data Augmentation

TL;DR

This paper introduces InvLBA, a novel invisible clean-label backdoor attack targeting generative data augmentation, which significantly improves attack success rates while maintaining model accuracy and robustness.

Contribution

We propose InvLBA, a latent feature-level backdoor attack method for generative augmentation, with theoretical guarantees and superior empirical performance over pixel-level approaches.

Findings

InvLBA achieves a 46.43% higher attack success rate on average.

The method maintains almost no reduction in clean accuracy.

InvLBA demonstrates high robustness against state-of-the-art defenses.

Abstract

With the rapid advancement of image generative models, generative data augmentation has become an effective way to enrich training images, especially when only small-scale datasets are available. At the same time, in practical applications, generative data augmentation can be vulnerable to clean-label backdoor attacks, which aim to bypass human inspection. However, based on theoretical analysis and preliminary experiments, we observe that directly applying existing pixel-level clean-label backdoor attack methods (e.g., COMBAT) to generated images results in low attack success rates. This motivates us to move beyond pixel-level triggers and focus instead on the latent feature level. To this end, we propose InvLBA, an invisible clean-label backdoor attack method for generative data augmentation by latent perturbation. We theoretically prove that the generalization of the clean accuracy and attack success rates of InvLBA can be guaranteed. Experiments on multiple datasets show that our method improves the attack success rate by 46.43% on average, with almost no reduction in clean accuracy and high robustness against SOTA defense methods.