Enhancing Clean Label Backdoor Attack with Two-phase Specific Triggers
This work addresses security vulnerabilities in DNNs for applications like image recognition, offering a more stealthy attack method that could evade detection, though it is incremental in improving existing clean-label backdoor techniques.
The paper tackles the problem of enhancing stealthiness and effectiveness in clean-label backdoor attacks on deep neural networks by proposing a two-phase, image-specific trigger generation method, achieving a high attack success rate of 98.98% with a low poisoning rate of 5%.
Backdoor attacks threaten Deep Neural Networks (DNNs). Towards stealthiness, researchers propose clean-label backdoor attacks, which require the adversaries not to alter the labels of the poisoned training datasets. Clean-label settings make the attack more stealthy due to the correct image-label pairs, but some problems still exist: first, traditional methods for poisoning training data are ineffective; second, traditional triggers are not stealthy which are still perceptible. To solve these problems, we propose a two-phase and image-specific triggers generation method to enhance clean-label backdoor attacks. Our methods are (1) powerful: our triggers can both promote the two phases (i.e., the backdoor implantation and activation phase) in backdoor attacks simultaneously; (2) stealthy: our triggers are generated from each image. They are image-specific instead of fixed triggers. Extensive experiments demonstrate that our approach can achieve a fantastic attack success rate~(98.98%) with low poisoning rate~(5%), high stealthiness under many evaluation metrics and is resistant to backdoor defense methods.