Abstract
Deep neural networks (DNNs) are vulnerable to backdoor attacks, where a backdoored model behaves normally with clean inputs but exhibits attacker-specified behaviors upon the inputs containing triggers. Most previous backdoor attacks mainly focus on either the all-to-one or all-to-all paradigm, allowing attackers to manipulate an input to attack a single target class. Besides, the two paradigms rely on a single trigger for backdoor activation, rendering attacks ineffective if the trigger is destroyed. In light of the above, we propose a new M-to-N attack paradigm that allows an attacker to manipulate any input to attack N target classes, and each backdoor of the N target classes can be activated by any one of its M triggers. Our attack selects M clean images from each target class as triggers and leverages our proposed poisoned image generation framework to inject the triggers into clean images invisibly. By using triggers with the same distribution as clean training images, the targeted DNN models can generalize to the triggers during training, thereby enhancing the effectiveness of our attack on multiple target classes. Extensive experimental results demonstrate that our new backdoor attack is highly effective in attacking multiple target classes and robust against pre-processing operations and existing defenses.
| Original language | English |
|---|---|
| Pages (from-to) | 11299-11312 |
| Number of pages | 14 |
| Journal | IEEE Transactions on Circuits and Systems for Video Technology |
| Volume | 34 |
| Issue number | 11 |
| DOIs | |
| Publication status | Published - Jun 2024 |
Keywords
- Backdoor attack
- clean features
- deep neural networks
- poisoning attack
- trojan attack
ASJC Scopus subject areas
- Media Technology
- Electrical and Electronic Engineering