Silent Killer: A Stealthy, Clean-Label, Black-Box Backdoor Attack
This addresses security vulnerabilities in neural networks for applications like image classification, though it is incremental as it builds on existing adversarial perturbation methods.
The paper tackles the problem of backdoor poisoning attacks in neural networks by introducing Silent Killer, a stealthy, clean-label, black-box attack that uses universal adversarial perturbations as triggers, achieving state-of-the-art results on datasets like MNIST, CIFAR10, and ImageNet.
Backdoor poisoning attacks pose a well-known risk to neural networks. However, most studies have focused on lenient threat models. We introduce Silent Killer, a novel attack that operates in clean-label, black-box settings, uses a stealthy poison and trigger and outperforms existing methods. We investigate the use of universal adversarial perturbations as triggers in clean-label attacks, following the success of such approaches under poison-label settings. We analyze the success of a naive adaptation and find that gradient alignment for crafting the poison is required to ensure high success rates. We conduct thorough experiments on MNIST, CIFAR10, and a reduced version of ImageNet and achieve state-of-the-art results.