DBIA: Data-free Backdoor Injection Attack against Transformer Networks
This addresses security vulnerabilities in widely used transformer models for computer vision, presenting an incremental improvement in attack efficiency.
The paper tackles the problem of backdoor attacks on transformer networks in computer vision, proposing DBIA, a data-free method that achieves high success rates with low resource consumption, as demonstrated on ViT, DeiT, and Swin Transformer models using CIFAR10 and ImageNet datasets.
Recently, transformer architecture has demonstrated its significance in both Natural Language Processing (NLP) and Computer Vision (CV) tasks. Though other network models are known to be vulnerable to the backdoor attack, which embeds triggers in the model and controls the model behavior when the triggers are presented, little is known whether such an attack is still valid on the transformer models and if so, whether it can be done in a more cost-efficient manner. In this paper, we propose DBIA, a novel data-free backdoor attack against the CV-oriented transformer networks, leveraging the inherent attention mechanism of transformers to generate triggers and injecting the backdoor using the poisoned surrogate dataset. We conducted extensive experiments based on three benchmark transformers, i.e., ViT, DeiT and Swin Transformer, on two mainstream image classification tasks, i.e., CIFAR10 and ImageNet. The evaluation results demonstrate that, consuming fewer resources, our approach can embed backdoors with a high success rate and a low impact on the performance of the victim transformers. Our code is available at https://anonymous.4open.science/r/DBIA-825D.