Rethinking the Trigger of Backdoor Attack
It addresses a security weakness in backdoor attacks for machine learning models, but is incremental as it builds on existing attack paradigms.
The paper identifies that static triggers in backdoor attacks are vulnerable when test triggers differ from training triggers, and explores using this property for defense and mitigating the vulnerability.
Backdoor attack intends to inject hidden backdoor into the deep neural networks (DNNs), such that the prediction of the infected model will be maliciously changed if the hidden backdoor is activated by the attacker-defined trigger, while it performs well on benign samples. Currently, most of existing backdoor attacks adopted the setting of \emph{static} trigger, $i.e.,$ triggers across the training and testing images follow the same appearance and are located in the same area. In this paper, we revisit this attack paradigm by analyzing the characteristics of the static trigger. We demonstrate that such an attack paradigm is vulnerable when the trigger in testing images is not consistent with the one used for training. We further explore how to utilize this property for backdoor defense, and discuss how to alleviate such vulnerability of existing attacks.