Flareon: Stealthy any2any Backdoor Injection via Poisoned Augmentation
This addresses a critical security vulnerability in open-source deep learning ecosystems, enabling attackers to inject backdoors without prior knowledge of model details, posing a significant threat to mission-critical applications.
The paper tackles the problem of stealthy backdoor injection in deep neural networks by proposing Flareon, a method that poisons data augmentation pipelines with motion-based triggers, achieving high attack success rates for any target choices and better clean accuracies than existing attacks.
Open software supply chain attacks, once successful, can exact heavy costs in mission-critical applications. As open-source ecosystems for deep learning flourish and become increasingly universal, they present attackers previously unexplored avenues to code-inject malicious backdoors in deep neural network models. This paper proposes Flareon, a small, stealthy, seemingly harmless code modification that specifically targets the data augmentation pipeline with motion-based triggers. Flareon neither alters ground-truth labels, nor modifies the training loss objective, nor does it assume prior knowledge of the victim model architecture, training data, and training hyperparameters. Yet, it has a surprisingly large ramification on training -- models trained under Flareon learn powerful target-conditional (or "any2any") backdoors. The resulting models can exhibit high attack success rates for any target choices and better clean accuracies than backdoor attacks that not only seize greater control, but also assume more restrictive attack capabilities. We also demonstrate the effectiveness of Flareon against recent defenses. Flareon is fully open-source and available online to the deep learning community: https://github.com/lafeat/flareon.