Backdooring Outlier Detection Methods: A Novel Attack Approach
This addresses a critical security gap for deploying classifiers in applications like autonomous driving and medical image analysis, where reliable outlier detection is essential.
The paper tackles the problem of backdoor attacks on classifiers' outlier detection performance, proposing BATOD, a novel attack that degrades open-set performance by shifting inliers to outliers and vice versa, demonstrating superior effectiveness over previous attacks on real-world datasets.
There have been several efforts in backdoor attacks, but these have primarily focused on the closed-set performance of classifiers (i.e., classification). This has left a gap in addressing the threat to classifiers' open-set performance, referred to as outlier detection in the literature. Reliable outlier detection is crucial for deploying classifiers in critical real-world applications such as autonomous driving and medical image analysis. First, we show that existing backdoor attacks fall short in affecting the open-set performance of classifiers, as they have been specifically designed to confuse intra-closed-set decision boundaries. In contrast, an effective backdoor attack for outlier detection needs to confuse the decision boundary between the closed and open sets. Motivated by this, in this study, we propose BATOD, a novel Backdoor Attack targeting the Outlier Detection task. Specifically, we design two categories of triggers to shift inlier samples to outliers and vice versa. We evaluate BATOD using various real-world datasets and demonstrate its superior ability to degrade the open-set performance of classifiers compared to previous attacks, both before and after applying defenses.