WaNet -- Imperceptible Warping-based Backdoor Attack
This addresses security threats in pre-trained networks by making backdoor attacks more stealthy and effective, representing a novel attack mechanism rather than an incremental improvement.
The paper tackles the problem of detectable backdoor attacks in deep learning by introducing a warping-based trigger that is more imperceptible to humans, achieving a wide margin of improvement in stealthiness over previous methods. It also proposes a 'noise mode' training to evade machine defenses, successfully bypassing state-of-the-art defenses on standard datasets like MNIST, CIFAR-10, GTSRB, and CelebA.
With the thriving of deep learning and the widespread practice of using pre-trained networks, backdoor attacks have become an increasing security threat drawing many research interests in recent years. A third-party model can be poisoned in training to work well in normal conditions but behave maliciously when a trigger pattern appears. However, the existing backdoor attacks are all built on noise perturbation triggers, making them noticeable to humans. In this paper, we instead propose using warping-based triggers. The proposed backdoor outperforms the previous methods in a human inspection test by a wide margin, proving its stealthiness. To make such models undetectable by machine defenders, we propose a novel training mode, called the ``noise mode. The trained networks successfully attack and bypass the state-of-the-art defense methods on standard classification datasets, including MNIST, CIFAR-10, GTSRB, and CelebA. Behavior analyses show that our backdoors are transparent to network inspection, further proving this novel attack mechanism's efficiency.