Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

WPDA: Frequency-based Backdoor Attack with Wavelet Packet Decomposition (2401.13578v3)

Published 24 Jan 2024 in cs.CR

Abstract: This work explores an emerging security threat against deep neural networks (DNNs) based image classification, i.e., backdoor attack. In this scenario, the attacker aims to inject a backdoor into the model by manipulating training data, such that the backdoor could be activated by a particular trigger and bootstraps the model to make a target prediction at inference. Currently, most existing data poisoning-based attacks struggle to achieve success at low poisoning ratios, increasing the risk of being defended by defense methods. In this paper, we propose a novel frequency-based backdoor attack via Wavelet Packet Decomposition (WPD), WPD decomposes the original image signal to a spectrogram that contains frequency information with different semantic meanings. We leverage WPD to statistically analyze the frequency distribution of the dataset to infer the key frequency regions the DNNs would focus on, and the trigger information is only injected into the key frequency regions. Our method mainly includes three parts: 1) the selection of the poisoning frequency regions in spectrogram; 2) trigger generation; 3) the generation of the poisoned dataset. Our method is stealthy and precise, evidenced by the 98.12% Attack Success Rate (ASR) on CIFAR-10 with the extremely low poisoning ratio 0.004% (i.e., only 2 poisoned samples among 50,000 training samples) and can bypass most existing defense methods. Besides, we also provide visualization analyses to explain why our method works.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (62)
  1. S. Balaban, “Deep learning and face recognition: the state of the art,” Proc. SPIE, vol. 9457, pp. 68–75, 2015.
  2. X. Wei, Y. Guo, and J. Yu, “Adversarial sticker: A stealthy attack method in the physical world,” IEEE Trans. Pattern Anal. Mach. Intell., 2022.
  3. J. Li, D. Yu, J.-T. Huang, and Y. Gong, “Improving wideband speech recognition using mixed-bandwidth training data in cd-dnn-hmm,” in Proc. SLT, 2012.
  4. X. Yuan, Y. Chen, Y. Zhao, Y. Long, X. Liu, K. Chen, S. Zhang, H. Huang, X. Wang, and C. A. Gunter, “Commandersong: A systematic approach for practical adversarial voice recognition,” in USENIX Security, 2018.
  5. H. Zhou, W. Li, Z. Kong, J. Guo, Y. Zhang, B. Yu, L. Zhang, and C. Liu, “Deepbillboard: Systematic physical-world testing of autonomous driving systems,” in Proc. IEEE/ACM 42nd Int. Conf. Softw. Eng. (ICSE), 2020.
  6. B. Wu, H. Chen, M. Zhang, Z. Zhu, S. Wei, D. Yuan, C. Shen, and H. Zha, “Backdoorbench: A comprehensive benchmark of backdoor learning,” in Advances in Neural Inf. Process. Syst., 2022.
  7. N. Ahmed, T. Natarajan, and K. Rao, “Discrete cosine transform,” IEEE Trans. Comput., vol. C-23, no. 1, pp. 90–93, 1974.
  8. S. Winograd, “On computing the discrete fourier transform,” Mathematics of computation, 1978.
  9. Z. Xiong, K. Ramchandran, and M. T. Orchard, “Wavelet packet image coding using space-frequency quantization,” IEEE Trans. Image Process., vol. 7, no. 6, pp. 892–898, 1998.
  10. T. Gu, B. Dolan-Gavitt, and S. Garg, “Badnets: Identifying vulnerabilities in the machine learning model supply chain,” arXiv preprint arXiv:1708.06733, 2019.
  11. X. Chen, C. Liu, B. Li, K. Lu, and D. Song, “Targeted backdoor attacks on deep learning systems using data poisoning,” arXiv preprint arXiv:1712.05526, 2017.
  12. Y. Li, Y. Li, B. Wu, L. Li, R. He, and S. Lyu, “Invisible backdoor attack with sample-specific triggers,” in Proc. IEEE Int. Conf. Comp. Vis., 2021, pp. 16 463–16 472.
  13. A. Shafahi, W. R. Huang, M. Najibi, O. Suciu, C. Studer, T. Dumitras, and T. Goldstein, “Poison frogs! targeted clean-label poisoning attacks on neural networks,” in Advances in Neural Inf. Process. Syst., 2018.
  14. K. Gao, J. Bai, B. Wu, M. Ya, and S.-T. Xia, “Imperceptible and robust backdoor attack in 3d point cloud,” IEEE Trans. Inf. Forensics Security, vol. 19, pp. 1267–1282, 2023.
  15. K. Kurita, P. Michel, and G. Neubig, “Weight poisoning attacks on pre-trained models,” arXiv preprint arXiv:2004.06660, 2020.
  16. I. Shumailov, Z. Shumaylov, D. Kazhdan, Y. Zhao, N. Papernot, M. A. Erdogdu, and R. J. Anderson, “Manipulating sgd with data ordering attacks,” Advances in Neural Inf. Process. Syst., vol. 34, pp. 18 021–18 032, 2021.
  17. T. A. Nguyen and A. T. Tran, “Wanet - imperceptible warping-based backdoor attack,” in Proc. Int. Conf. Learn. Representations, 2021.
  18. T. A. Nguyen and A. Tran, “Input-aware dynamic backdoor attack,” in Advances in Neural Inf. Process. Syst., 2020.
  19. E. Bagdasaryan and V. Shmatikov, “Blind backdoors in deep learning models,” in USENIX Security, 2021.
  20. W. Jiang, T. Zhang, H. Qiu, H. Li, and G. Xu, “Incremental learning, incremental backdoor threats,” IEEE Trans. Dependable Secure Comput., 2022.
  21. Y. Liu, X. Ma, J. Bailey, and F. Lu, “Reflection backdoor: A natural backdoor attack on deep neural networks,” in Proc. ECCV.   Springer, 2020, pp. 182–199.
  22. S. Li, M. Xue, B. Z. H. Zhao, H. Zhu, and X. Zhang, “Invisible backdoor attacks on deep neural networks via steganography and regularization,” IEEE Trans. Dependable Secure Comput., vol. 18, no. 5, pp. 2088–2105, 2020.
  23. R. Ning, J. Li, C. Xin, and H. Wu, “Invisible poison: A blackbox clean label backdoor attack to deep neural networks,” in Proc. IEEE Conf. Comput. Commun., 2021.
  24. J. Zhang, C. Dongdong, Q. Huang, J. Liao, W. Zhang, H. Feng, G. Hua, and N. Yu, “Poison ink: Robust and invisible backdoor attack,” IEEE Trans. Image Process., vol. 31, pp. 5691–5705, 2022.
  25. Q. Zhang, Y. Ding, Y. Tian, J. Guo, M. Yuan, and Y. Jiang, “Advdoor: adversarial backdoor attack of deep learning system,” in Proc. 30th ACM SIGSOFT Int. Symp. Softw. Testing Anal. (ISSTA), 2021.
  26. L. Wang and K.-J. Yoon, “Psat-gan: Efficient adversarial attacks against holistic scene understanding,” IEEE Trans. Image Process., vol. 30, pp. 7541–7553, 2021.
  27. Z. Che, A. Borji, G. Zhai, S. Ling, J. Li, Y. Tian, G. Guo, and P. Le Callet, “Adversarial attack against deep saliency models powered by non-redundant priors,” IEEE Trans. Image Process., vol. 30, pp. 1973–1988, 2021.
  28. S. Cheng, Y. Liu, S. Ma, and X. Zhang, “Deep feature space trojan attack of neural networks by controlled detoxification,” in Proc. Conf. AAAI, 2021.
  29. X. Gong, Z. Wang, Y. Chen, M. Xue, Q. Wang, and C. Shen, “Kaleidoscope: Physical backdoor attacks against deep neural networks with rgb filters,” IEEE Trans. Dependable Secure Comput., 2023.
  30. T. Wang, Y. Yao, F. Xu, S. An, H. Tong, and T. Wang, “An invisible black-box backdoor attack through frequency domain,” in Proc. Eur. Conf. Comp. Vis., 2022.
  31. Y. Feng, B. Ma, J. Zhang, S. Zhao, Y. Xia, and D. Tao, “Fiba: Frequency-injection based backdoor attack in medical image analysis,” in Proc. IEEE Conf. Comp. Vis. Patt. Recogn., 2022.
  32. H. A. A. K. Hammoud and B. Ghanem, “British machine vision conference,” in 33rd British Machine Vision Conference, 2022.
  33. N. Dräger, Y. Xu, and P. Ghamisi, “Backdoor attacks for remote sensing data with wavelet transform,” IEEE Trans. Geosci. Remote Sens., vol. 61, pp. 1–15, 2023.
  34. B. Chen, W. Carvalho, N. Baracaldo, H. Ludwig, B. Edwards, T. Lee, I. Molloy, and B. Srivastava, “Detecting backdoor attacks on deep neural networks by activation clustering,” arXiv preprint arXiv:1811.03728, 2018.
  35. W. Ma, D. Wang, R. Sun, M. Xue, S. Wen, and Y. Xiang, “The ”beatrix” resurrections: Robust backdoor detection via gram matrices,” in Proc. NDSS, 2023.
  36. D. Tang, X. Wang, H. Tang, and K. Zhang, “Demon in the variant: Statistical analysis of {{\{{DNNs}}\}} for robust backdoor contamination detection,” in USENIX Security, 2021.
  37. B. Tran, J. Li, and A. Madry, “Spectral signatures in backdoor attacks,” in Advances in Neural Inf. Process. Syst. Workshop, 2018.
  38. J. Hayase, W. Kong, R. Somani, and S. Oh, “Spectre: Defending against backdoor attacks using robust statistics,” in Proc. Int. Conf. Mach. Learn., 2021.
  39. X. Qi, T. Xie, T. Wang, T. Wu, S. Mahloujifar, and P. Mittal, “Towards a proactive ml approach for detecting backdoor poison samples,” in USENIX Security, 2023.
  40. M. Pan, Y. Zeng, L. Lyu, X. Lin, and R. Jia, “ASSET: robust backdoor data detection across a multiplicity of deep learning paradigms,” in USENIX Security, 2023.
  41. Y. Li, X. Lyu, N. Koren, L. Lyu, B. Li, and X. Ma, “Anti-backdoor learning: Training clean models on poisoned data,” in Advances in Neural Inf. Process. Syst., 2021.
  42. K. Huang, Y. Li, B. Wu, Z. Qin, and K. Ren, “Backdoor defense via decoupling the training process,” in Proc. Int. Conf. Learn. Representations, 2022.
  43. W. Chen, B. Wu, and H. Wang, “Effective backdoor defense by exploiting sensitivity of poisoned samples,” in Advances in Neural Inf. Process. Syst., 2022.
  44. Y. Zeng, S. Chen, W. Park, Z. Mao, M. Jin, and R. Jia, “Adversarial unlearning of backdoors via implicit hypergradient,” in Proc. Int. Conf. Learn. Representations, 2022.
  45. R. Zheng, R. Tang, J. Li, and L. Liu, “Data-free backdoor removal based on channel lipschitzness,” in Proc. Eur. Conf. Comp. Vis., 2022.
  46. Y. Li, X. Lyu, N. Koren, L. Lyu, B. Li, and X. Ma, “Neural attention distillation: Erasing backdoor triggers from deep neural networks,” in Proc. Int. Conf. Learn. Representations, 2021.
  47. S. Wei, M. Zhang, H. Zha, and B. Wu, “Shared adversarial unlearning: Backdoor mitigation by unlearning shared adversarial examples,” Advances in Neural Inf. Process. Syst., vol. 36, 2024.
  48. M. Zhu, S. Wei, H. Zha, and B. Wu, “Neural polarizer: A lightweight and effective backdoor defense via purifying poisoned features,” Advances in Neural Inf. Process. Syst., vol. 36, 2024.
  49. Z. Yao, H. Zhang, Y. Guo, X. Tian, W. Peng, Y. Zou, L. Y. Zhang, and C. Chen, “Reverse backdoor distillation: Towards online backdoor attack detection for deep neural network models,” IEEE Trans. Dependable Secure Comput., 2024.
  50. B. Wang, Y. Yao, S. Shan, H. Li, B. Viswanath, H. Zheng, and B. Y. Zhao, “Neural cleanse: Identifying and mitigating backdoor attacks in neural networks,” in 2019 IEEE Symposium on Security and Privacy (SP), 2019.
  51. Y. Gao, C. Xu, D. Wang, S. Chen, D. C. Ranasinghe, and S. Nepal, “Strip: A defence against trojan attacks on deep neural networks,” in Proc. 35th Annu. Comput. Secur. Appl. Conf., 2019, pp. 113–125.
  52. X. Liu, M. Li, H. Wang, S. Hu, D. Ye, H. Jin, L. Wu, and C. Xiao, “Detecting backdoors during the inference stage based on corruption robustness consistency,” in Proc. IEEE Conf. Comp. Vis. Patt. Recogn., 2023.
  53. A. Krizhevsky and G. Hinton, “Learning multiple layers of features from tiny images,” Handbook of Systemic Autoimmune Diseases, vol. 1, no. 4, 2009.
  54. Y. Le and X. Yang, “Tiny imagenet visual recognition challenge,” CS231N, vol. 7, no. 7, p. 3, 2015.
  55. J. Deng, W. Dong, R. Socher, L.-J. Li, K. Li, and L. Fei-Fei, “Imagenet: A large-scale hierarchical image database,” in Proc. IEEE Conf. Comp. Vis. Patt. Recogn.   IEEE, 2009, pp. 248–255.
  56. K. He, X. Zhang, S. Ren, and J. Sun, “Identity mappings in deep residual networks,” in Proc. Eur. Conf. Comp. Vis.   Springer, 2016, pp. 630–645.
  57. K. Simonyan and A. Zisserman, “Very deep convolutional networks for large-scale image recognition,” in 3rd Proc. Int. Conf. Learn. Representations, 2015.
  58. M. Barni, K. Kallas, and B. Tondi, “A new backdoor attack in cnns by training set corruption without label poisoning,” in Proc. IEEE Int. Conf. Image Process., 2019.
  59. Y. Zeng, W. Park, Z. M. Mao, and R. Jia, “Rethinking the backdoor attacks’ triggers: A frequency perspective,” in Proc. IEEE Int. Conf. Comp. Vis., 2021.
  60. B. Wu, S. Wei, M. Zhu, M. Zheng, Z. Zhu, M. Zhang, H. Chen, D. Yuan, L. Liu, and Q. Liu, “Defenses in adversarial machine learning: A survey,” arXiv preprint arXiv:2312.08890, 2023.
  61. D. Yuan, S. Wei, M. Zhang, L. Liu, and B. Wu, “Activation gradient based poisoned sample detection against backdoor attacks,” arXiv preprint arXiv:2312.06230, 2023.
  62. L. Van der Maaten and G. Hinton, “Visualizing data using t-sne.” J. Mach. Learn. Res., vol. 9, no. 11, 2008.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Zhengyao Song (1 paper)
  2. Danni Yuan (6 papers)
  3. Li Liu (311 papers)
  4. Shaokui Wei (17 papers)
  5. Baoyuan Wu (107 papers)
  6. YongQiang Li (32 papers)
Citations (2)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets