Backdoor Attack With Sparse and Invisible Trigger

Deep neural networks (DNNs) are vulnerable to backdoor attacks, where the adversary manipulates a small portion of training data such that the victim model predicts normally on the benign samples but classifies the triggered samples as the target class. The backdoor attack is an emerging yet threate...

Ausführliche Beschreibung

Gespeichert in:

Bibliographische Detailangaben
Veröffentlicht in:	IEEE transactions on information forensics and security 2024, Vol.19, p.6364-6376
Hauptverfasser:	Gao, Yinghua, Li, Yiming, Gong, Xueluan, Li, Zhifeng, Xia, Shu-Tao, Wang, Qian
Format:	Artikel
Sprache:	eng
Schlagworte:	Additives AI security Artificial neural networks Backdoor attack Data models invisibility Optimization Perturbation methods Security sparsity Task analysis Training trustworthy ML
Online-Zugang:	Volltext bestellen
Tags:	Tag hinzufügen Keine Tags, Fügen Sie den ersten Tag hinzu!

container_end_page	6376
container_issue
container_start_page	6364
container_title	IEEE transactions on information forensics and security
container_volume	19
creator	Gao, Yinghua Li, Yiming Gong, Xueluan Li, Zhifeng Xia, Shu-Tao Wang, Qian
description	Deep neural networks (DNNs) are vulnerable to backdoor attacks, where the adversary manipulates a small portion of training data such that the victim model predicts normally on the benign samples but classifies the triggered samples as the target class. The backdoor attack is an emerging yet threatening training-phase threat, leading to serious risks in DNN-based applications. In this paper, we revisit the trigger patterns of existing backdoor attacks. We reveal that they are either visible or not sparse and therefore are not stealthy enough. More importantly, it is not feasible to simply combine existing methods to design an effective sparse and invisible backdoor attack. To address this problem, we formulate the trigger generation as a bi-level optimization problem with sparsity and invisibility constraints and propose an effective method to solve it. The proposed method is dubbed sparse and invisible backdoor attack (SIBA). We conduct extensive experiments on benchmark datasets under different settings, which verify the effectiveness of our attack and its resistance to existing backdoor defenses. The codes for reproducing main experiments are available at https://github.com/YinghuaGao/SIBA .
doi_str_mv	10.1109/TIFS.2024.3411936
format	Article
fullrecord	<record><control><sourceid>proquest_RIE</sourceid><recordid>TN_cdi_crossref_primary_10_1109_TIFS_2024_3411936</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><ieee_id>10552303</ieee_id><sourcerecordid>3072323266</sourcerecordid><originalsourceid>FETCH-LOGICAL-c219t-e97ac06008afe9c30f58c73beac43286a6075be1e22ba0a6b02119a3cae363ad3</originalsourceid><addsrcrecordid>eNpNkEFLw0AQhRdRsFZ_gOAh4Dl1ZifZJMdarBYKHlrxuEy2k5pam7qbCv33prSIzGHe4b2Zx6fULcIAEYqH-WQ8G2jQyYASxILMmephmprYgMbzP410qa5CWAEkCZq8p_CR3eeiaXw0bNtORu91-xHNtuyDRLxZRJPNTx3qci3R3NfLpfhrdVHxOsjNaffV2_hpPnqJp6_Pk9FwGjuNRRtLkbEDA5BzJYUjqNLcZVQKu4R0bthAlpaConXJwKbsemLB5FjIEC-or-6Pd7e--d5JaO2q2flN99ISZJq6MaZz4dHlfBOCl8puff3Ffm8R7IGMPZCxBzL2RKbL3B0ztYj886epJiD6BbHRXeY</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype><pqid>3072323266</pqid></control><display><type>article</type><title>Backdoor Attack With Sparse and Invisible Trigger</title><source>IEEE Electronic Library (IEL)</source><creator>Gao, Yinghua ; Li, Yiming ; Gong, Xueluan ; Li, Zhifeng ; Xia, Shu-Tao ; Wang, Qian</creator><creatorcontrib>Gao, Yinghua ; Li, Yiming ; Gong, Xueluan ; Li, Zhifeng ; Xia, Shu-Tao ; Wang, Qian</creatorcontrib><description>Deep neural networks (DNNs) are vulnerable to backdoor attacks, where the adversary manipulates a small portion of training data such that the victim model predicts normally on the benign samples but classifies the triggered samples as the target class. The backdoor attack is an emerging yet threatening training-phase threat, leading to serious risks in DNN-based applications. In this paper, we revisit the trigger patterns of existing backdoor attacks. We reveal that they are either visible or not sparse and therefore are not stealthy enough. More importantly, it is not feasible to simply combine existing methods to design an effective sparse and invisible backdoor attack. To address this problem, we formulate the trigger generation as a bi-level optimization problem with sparsity and invisibility constraints and propose an effective method to solve it. The proposed method is dubbed sparse and invisible backdoor attack (SIBA). We conduct extensive experiments on benchmark datasets under different settings, which verify the effectiveness of our attack and its resistance to existing backdoor defenses. The codes for reproducing main experiments are available at https://github.com/YinghuaGao/SIBA .</description><identifier>ISSN: 1556-6013</identifier><identifier>EISSN: 1556-6021</identifier><identifier>DOI: 10.1109/TIFS.2024.3411936</identifier><identifier>CODEN: ITIFA6</identifier><language>eng</language><publisher>New York: IEEE</publisher><subject>Additives ; AI security ; Artificial neural networks ; Backdoor attack ; Data models ; invisibility ; Optimization ; Perturbation methods ; Security ; sparsity ; Task analysis ; Training ; trustworthy ML</subject><ispartof>IEEE transactions on information forensics and security, 2024, Vol.19, p.6364-6376</ispartof><rights>Copyright The Institute of Electrical and Electronics Engineers, Inc. (IEEE) 2024</rights><lds50>peer_reviewed</lds50><oa>free_for_read</oa><woscitedreferencessubscribed>false</woscitedreferencessubscribed><cites>FETCH-LOGICAL-c219t-e97ac06008afe9c30f58c73beac43286a6075be1e22ba0a6b02119a3cae363ad3</cites><orcidid>0000-0002-9653-7907 ; 0000-0002-8639-982X ; 0000-0003-2190-8117 ; 0000-0002-7158-2613 ; 0000-0002-2258-265X ; 0000-0002-8967-8525</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><linktohtml>$$Uhttps://ieeexplore.ieee.org/document/10552303$$EHTML$$P50$$Gieee$$H</linktohtml><link.rule.ids>314,780,784,796,4022,27921,27922,27923,54756</link.rule.ids><linktorsrc>$$Uhttps://ieeexplore.ieee.org/document/10552303$$EView_record_in_IEEE$$FView_record_in_$$GIEEE</linktorsrc></links><search><creatorcontrib>Gao, Yinghua</creatorcontrib><creatorcontrib>Li, Yiming</creatorcontrib><creatorcontrib>Gong, Xueluan</creatorcontrib><creatorcontrib>Li, Zhifeng</creatorcontrib><creatorcontrib>Xia, Shu-Tao</creatorcontrib><creatorcontrib>Wang, Qian</creatorcontrib><title>Backdoor Attack With Sparse and Invisible Trigger</title><title>IEEE transactions on information forensics and security</title><addtitle>TIFS</addtitle><description>Deep neural networks (DNNs) are vulnerable to backdoor attacks, where the adversary manipulates a small portion of training data such that the victim model predicts normally on the benign samples but classifies the triggered samples as the target class. The backdoor attack is an emerging yet threatening training-phase threat, leading to serious risks in DNN-based applications. In this paper, we revisit the trigger patterns of existing backdoor attacks. We reveal that they are either visible or not sparse and therefore are not stealthy enough. More importantly, it is not feasible to simply combine existing methods to design an effective sparse and invisible backdoor attack. To address this problem, we formulate the trigger generation as a bi-level optimization problem with sparsity and invisibility constraints and propose an effective method to solve it. The proposed method is dubbed sparse and invisible backdoor attack (SIBA). We conduct extensive experiments on benchmark datasets under different settings, which verify the effectiveness of our attack and its resistance to existing backdoor defenses. The codes for reproducing main experiments are available at https://github.com/YinghuaGao/SIBA .</description><subject>Additives</subject><subject>AI security</subject><subject>Artificial neural networks</subject><subject>Backdoor attack</subject><subject>Data models</subject><subject>invisibility</subject><subject>Optimization</subject><subject>Perturbation methods</subject><subject>Security</subject><subject>sparsity</subject><subject>Task analysis</subject><subject>Training</subject><subject>trustworthy ML</subject><issn>1556-6013</issn><issn>1556-6021</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2024</creationdate><recordtype>article</recordtype><sourceid>RIE</sourceid><recordid>eNpNkEFLw0AQhRdRsFZ_gOAh4Dl1ZifZJMdarBYKHlrxuEy2k5pam7qbCv33prSIzGHe4b2Zx6fULcIAEYqH-WQ8G2jQyYASxILMmephmprYgMbzP410qa5CWAEkCZq8p_CR3eeiaXw0bNtORu91-xHNtuyDRLxZRJPNTx3qci3R3NfLpfhrdVHxOsjNaffV2_hpPnqJp6_Pk9FwGjuNRRtLkbEDA5BzJYUjqNLcZVQKu4R0bthAlpaConXJwKbsemLB5FjIEC-or-6Pd7e--d5JaO2q2flN99ISZJq6MaZz4dHlfBOCl8puff3Ffm8R7IGMPZCxBzL2RKbL3B0ztYj886epJiD6BbHRXeY</recordid><startdate>2024</startdate><enddate>2024</enddate><creator>Gao, Yinghua</creator><creator>Li, Yiming</creator><creator>Gong, Xueluan</creator><creator>Li, Zhifeng</creator><creator>Xia, Shu-Tao</creator><creator>Wang, Qian</creator><general>IEEE</general><general>The Institute of Electrical and Electronics Engineers, Inc. (IEEE)</general><scope>97E</scope><scope>RIA</scope><scope>RIE</scope><scope>AAYXX</scope><scope>CITATION</scope><scope>7SC</scope><scope>7SP</scope><scope>7TB</scope><scope>8FD</scope><scope>FR3</scope><scope>JQ2</scope><scope>KR7</scope><scope>L7M</scope><scope>L~C</scope><scope>L~D</scope><orcidid>https://orcid.org/0000-0002-9653-7907</orcidid><orcidid>https://orcid.org/0000-0002-8639-982X</orcidid><orcidid>https://orcid.org/0000-0003-2190-8117</orcidid><orcidid>https://orcid.org/0000-0002-7158-2613</orcidid><orcidid>https://orcid.org/0000-0002-2258-265X</orcidid><orcidid>https://orcid.org/0000-0002-8967-8525</orcidid></search><sort><creationdate>2024</creationdate><title>Backdoor Attack With Sparse and Invisible Trigger</title><author>Gao, Yinghua ; Li, Yiming ; Gong, Xueluan ; Li, Zhifeng ; Xia, Shu-Tao ; Wang, Qian</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c219t-e97ac06008afe9c30f58c73beac43286a6075be1e22ba0a6b02119a3cae363ad3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2024</creationdate><topic>Additives</topic><topic>AI security</topic><topic>Artificial neural networks</topic><topic>Backdoor attack</topic><topic>Data models</topic><topic>invisibility</topic><topic>Optimization</topic><topic>Perturbation methods</topic><topic>Security</topic><topic>sparsity</topic><topic>Task analysis</topic><topic>Training</topic><topic>trustworthy ML</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Gao, Yinghua</creatorcontrib><creatorcontrib>Li, Yiming</creatorcontrib><creatorcontrib>Gong, Xueluan</creatorcontrib><creatorcontrib>Li, Zhifeng</creatorcontrib><creatorcontrib>Xia, Shu-Tao</creatorcontrib><creatorcontrib>Wang, Qian</creatorcontrib><collection>IEEE All-Society Periodicals Package (ASPP) 2005-present</collection><collection>IEEE All-Society Periodicals Package (ASPP) 1998-Present</collection><collection>IEEE Electronic Library (IEL)</collection><collection>CrossRef</collection><collection>Computer and Information Systems Abstracts</collection><collection>Electronics & Communications Abstracts</collection><collection>Mechanical & Transportation Engineering Abstracts</collection><collection>Technology Research Database</collection><collection>Engineering Research Database</collection><collection>ProQuest Computer Science Collection</collection><collection>Civil Engineering Abstracts</collection><collection>Advanced Technologies Database with Aerospace</collection><collection>Computer and Information Systems Abstracts Academic</collection><collection>Computer and Information Systems Abstracts Professional</collection><jtitle>IEEE transactions on information forensics and security</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext_linktorsrc</fulltext></delivery><addata><au>Gao, Yinghua</au><au>Li, Yiming</au><au>Gong, Xueluan</au><au>Li, Zhifeng</au><au>Xia, Shu-Tao</au><au>Wang, Qian</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Backdoor Attack With Sparse and Invisible Trigger</atitle><jtitle>IEEE transactions on information forensics and security</jtitle><stitle>TIFS</stitle><date>2024</date><risdate>2024</risdate><volume>19</volume><spage>6364</spage><epage>6376</epage><pages>6364-6376</pages><issn>1556-6013</issn><eissn>1556-6021</eissn><coden>ITIFA6</coden><abstract>Deep neural networks (DNNs) are vulnerable to backdoor attacks, where the adversary manipulates a small portion of training data such that the victim model predicts normally on the benign samples but classifies the triggered samples as the target class. The backdoor attack is an emerging yet threatening training-phase threat, leading to serious risks in DNN-based applications. In this paper, we revisit the trigger patterns of existing backdoor attacks. We reveal that they are either visible or not sparse and therefore are not stealthy enough. More importantly, it is not feasible to simply combine existing methods to design an effective sparse and invisible backdoor attack. To address this problem, we formulate the trigger generation as a bi-level optimization problem with sparsity and invisibility constraints and propose an effective method to solve it. The proposed method is dubbed sparse and invisible backdoor attack (SIBA). We conduct extensive experiments on benchmark datasets under different settings, which verify the effectiveness of our attack and its resistance to existing backdoor defenses. The codes for reproducing main experiments are available at https://github.com/YinghuaGao/SIBA .</abstract><cop>New York</cop><pub>IEEE</pub><doi>10.1109/TIFS.2024.3411936</doi><tpages>13</tpages><orcidid>https://orcid.org/0000-0002-9653-7907</orcidid><orcidid>https://orcid.org/0000-0002-8639-982X</orcidid><orcidid>https://orcid.org/0000-0003-2190-8117</orcidid><orcidid>https://orcid.org/0000-0002-7158-2613</orcidid><orcidid>https://orcid.org/0000-0002-2258-265X</orcidid><orcidid>https://orcid.org/0000-0002-8967-8525</orcidid><oa>free_for_read</oa></addata></record>
fulltext	fulltext_linktorsrc
identifier	ISSN: 1556-6013
ispartof	IEEE transactions on information forensics and security, 2024, Vol.19, p.6364-6376
issn	1556-6013 1556-6021
language	eng
recordid	cdi_crossref_primary_10_1109_TIFS_2024_3411936
source	IEEE Electronic Library (IEL)
subjects	Additives AI security Artificial neural networks Backdoor attack Data models invisibility Optimization Perturbation methods Security sparsity Task analysis Training trustworthy ML
title	Backdoor Attack With Sparse and Invisible Trigger
url	https://sfx.bib-bvb.de/sfx_tum?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-09T12%3A15%3A10IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-proquest_RIE&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Backdoor%20Attack%20With%20Sparse%20and%20Invisible%20Trigger&rft.jtitle=IEEE%20transactions%20on%20information%20forensics%20and%20security&rft.au=Gao,%20Yinghua&rft.date=2024&rft.volume=19&rft.spage=6364&rft.epage=6376&rft.pages=6364-6376&rft.issn=1556-6013&rft.eissn=1556-6021&rft.coden=ITIFA6&rft_id=info:doi/10.1109/TIFS.2024.3411936&rft_dat=%3Cproquest_RIE%3E3072323266%3C/proquest_RIE%3E%3Curl%3E%3C/url%3E&disable_directlink=true&sfx.directlink=off&sfx.report_link=0&rft_id=info:oai/&rft_pqid=3072323266&rft_id=info:pmid/&rft_ieee_id=10552303&rfr_iscdi=true