Backdoor Attack with Invisible Triggers Based on Model Architecture Modification
This addresses a security vulnerability for users of pre-trained models by making backdoor attacks harder to detect, though it is incremental as it builds on existing architectural modification methods.
The paper tackles the problem of making backdoor attacks in machine learning models more stealthy by introducing a method that embeds invisible triggers through architectural modifications, achieving undetectability by both manual inspection and advanced tools in experiments on standard computer vision benchmarks.
Machine learning systems are vulnerable to backdoor attacks, where attackers manipulate model behavior through data tampering or architectural modifications. Traditional backdoor attacks involve injecting malicious samples with specific triggers into the training data, causing the model to produce targeted incorrect outputs in the presence of the corresponding triggers. More sophisticated attacks modify the model's architecture directly, embedding backdoors that are harder to detect as they evade traditional data-based detection methods. However, the drawback of the architectural modification based backdoor attacks is that the trigger must be visible in order to activate the backdoor. To further strengthen the invisibility of the backdoor attacks, a novel backdoor attack method is presented in the paper. To be more specific, this method embeds the backdoor within the model's architecture and has the capability to generate inconspicuous and stealthy triggers. The attack is implemented by modifying pre-trained models, which are then redistributed, thereby posing a potential threat to unsuspecting users. Comprehensive experiments conducted on standard computer vision benchmarks validate the effectiveness of this attack and highlight the stealthiness of its triggers, which remain undetectable through both manual visual inspection and advanced detection tools.