Invisible Backdoor Learning in Transform Domain with Flexible Triggers and Targets

The high demands on datasets and computing resources in deep learning make the models vulnerable to a range of security threats such as backdoor learning. The study of backdoor learning also helps to improve the understanding of model security. In order to ensure the attack effect, the triggers and targets in the existing backdoor learning methods are usually fixed and single, so a single defense will lead to the failure of the attack. This paper proposes an invisible backdoor learning scheme in the transform domain with flexible triggers and targets. By adding different offsets of different frequencies in the transform domain, multiple triggers and multiple targets are controlled. The generated poisoning images are added to the training dataset and the model is fine-tuned. Under the conception, two modes of backdoor learning enable flexible triggers and targets. One mode is multi-triggers and multi-targets (MTMT), and it can implement multiple triggers corresponding to different activation targets. The other mode is multi-triggers and one-target (MTOT), and it can realize multiple trigger sets to activate the target together. The experimental results show that the attack success rate reaches 95% and the accuracy of the model decreases within 3% under the premise that the trigger is not visible. This scheme can resist the common defense methods and has a good sample of the visual quality.