Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
80 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
7 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Impart: An Imperceptible and Effective Label-Specific Backdoor Attack (2403.13017v1)

Published 18 Mar 2024 in cs.CR and cs.AI

Abstract: Backdoor attacks have been shown to impose severe threats to real security-critical scenarios. Although previous works can achieve high attack success rates, they either require access to victim models which may significantly reduce their threats in practice, or perform visually noticeable in stealthiness. Besides, there is still room to improve the attack success rates in the scenario that different poisoned samples may have different target labels (a.k.a., the all-to-all setting). In this study, we propose a novel imperceptible backdoor attack framework, named Impart, in the scenario where the attacker has no access to the victim model. Specifically, in order to enhance the attack capability of the all-to-all setting, we first propose a label-specific attack. Different from previous works which try to find an imperceptible pattern and add it to the source image as the poisoned image, we then propose to generate perturbations that align with the target label in the image feature by a surrogate model. In this way, the generated poisoned images are attached with knowledge about the target class, which significantly enhances the attack capability.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (93)
  1. A new backdoor attack in cnns by training set corruption without label poisoning, in: 2019 IEEE International Conference on Image Processing (ICIP), IEEE. pp. 101–105.
  2. Fast unfolding of communities in large networks. J. Stat. Mech.-Theory Exp. 2008, P10008.
  3. Crime and punishment in scientific research. arXiv:0803.4058.
  4. Towards evaluating the robustness of neural networks, in: 2017 ieee symposium on security and privacy (sp), Ieee. pp. 39--57.
  5. Detecting local community structure in complex networks based on local degree central nodes. Physica A. 392, 529--537.
  6. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526 .
  7. Deep feature space trojan attack of neural networks by controlled detoxification, in: Proceedings of the AAAI Conference on Artificial Intelligence, pp. 1148--1156.
  8. Tat: Targeted backdoor attacks against visual object tracking. Pattern Recognition , 109629URL: https://www.sciencedirect.com/science/article/pii/S0031320323003308, doi:https://doi.org/10.1016/j.patcog.2023.109629.
  9. Transfer of Rule-Based Expertise through a Tutorial Dialogue. Ph.D. diss.. Dept. of Computer Science, Stanford Univ.. Stanford, Calif.
  10. Communication, Simulation, and Intelligent Agents: Implications of Personal Intelligent Machines for Medical Education, in: Proceedings of the Eighth International Joint Conference on Artificial Intelligence (IJCAI-83), IJCAI Organization, Menlo Park, Calif. pp. 556--560.
  11. Classification Problem Solving, in: Proceedings of the Fourth National Conference on Artificial Intelligence, AAAI Press, Menlo Park, Calif.. pp. 45--54.
  12. The Engineering of Qualitative Models. Forthcoming.
  13. Finding community structure in very large networks. Phys. Rev. E. 70, 066111.
  14. Comparing community structure identification. J. Stat. Mech.-Theory Exp. , P09008.
  15. BERT: Pre-training of deep bidirectional transformers for language understanding, in: Proceedings of the 2019 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Volume 1 (Long and Short Papers), Association for Computational Linguistics, Minneapolis, Minnesota. pp. 4171--4186. URL: https://aclanthology.org/N19-1423, doi:10.18653/v1/N19-1423.
  16. Backdoor attack with imperceptible input and latent modification. Advances in Neural Information Processing Systems 34, 18944--18957.
  17. Lira: Learnable, imperceptible and robust backdoor attacks, in: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 11966--11976.
  18. Marksman backdoor: Backdoor attacks with arbitrary target class. arXiv preprint arXiv:2210.09194 .
  19. Perceptual quality metrics applied to still image compression. Signal processing 70, 177--200.
  20. Blackboard Systems. Addison-Wesley, Reading, Mass.
  21. Profiling core-periphery network structure by random walkers. Sci. Rep. 3, 1467.
  22. Fuzzy community structure detection by particle competition and cooperation. Soft Comput. 17, 659--673.
  23. Community detection in graphs. Phys. Rep.-Rev. Sec. Phys. Lett. 486, 75--174.
  24. Resolution limit in community detection. Proc. Natl. Acad. Sci. U. S. A. 104, 36--41.
  25. Strip: A defence against trojan attacks on deep neural networks, in: Proceedings of the 35th Annual Computer Security Applications Conference, pp. 113--125.
  26. Pytorch library for cam methods. https://github.com/jacobgil/pytorch-grad-cam.
  27. Explaining and harnessing adversarial examples. arXiv preprint arXiv:1412.6572 .
  28. Fuzzy overlapping communities in networks. J. Stat. Mech.-Theory Exp. , P02017.
  29. Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 .
  30. Strategic explanations for a diagnostic consultation system. International Journal of Man-Machine Studies 20, 3--19. URL: https://www.sciencedirect.com/science/article/pii/S0020737384800036, doi:https://doi.org/10.1016/S0020-7373(84)80003-6.
  31. Strategic Explanations in Consultation---Duplicate. The International Journal of Man-Machine Studies 20, 3--19.
  32. A soft modularity function for detecting fuzzy communities in social networks. IEEE Trans. Fuzzy Syst. 21, 1170--1175.
  33. Deep residual learning for image recognition, in: Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 770--778.
  34. Identity mappings in deep residual networks, in: European conference on computer vision, Springer. pp. 630--645.
  35. A fuzzy variant of the rand index for comparing clustering structures, in: in Proc. IFSA/EUSFLAT Conf., pp. 1294--1298.
  36. Scope of validity of psnr in image/video quality assessment. Electronics letters 44, 800--801.
  37. Learning multiple layers of features from tiny images .
  38. Benchmarks for testing community detection algorithms on directed and weighted graphs with overlapping communities. Phys. Rev. E. 80, 016118.
  39. Benchmark graphs for testing community detection algorithms. Phys. Rev. E. 78, 046110.
  40. Detecting overlapping communities by seed community in weighted complex networks. Physica A. 392, 6125--6134.
  41. Backdoor learning: A survey. IEEE Transactions on Neural Networks and Learning Systems .
  42. Invisible backdoor attack with sample-specific triggers, in: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 16463--16472.
  43. Neural attention distillation: Erasing backdoor triggers from deep neural networks, in: International Conference on Learning Representations. URL: https://openreview.net/forum?id=9l0K4OM-oXE.
  44. Fuzzy modularity and fuzzy community structure in networks. Eur. Phys. J. B. 77, 547--557.
  45. Detecting communities based on network topology. Sci. Rep. 4, 5739.
  46. Trojaning attack on neural networks, in: NDSS.
  47. Reflection backdoor: A natural backdoor attack on deep neural networks, in: European Conference on Computer Vision, Springer. pp. 182--199.
  48. Detecting community structure using label propagation with weighted coherent neighborhood propinquity. Physica A. 392, 3095--3105.
  49. The development of the cie 2000 colour-difference formula: Ciede2000. Color Research & Application: Endorsed by Inter-Society Color Council, The Colour Group (Great Britain), Canadian Society for Color, Color Science Association of Japan, Dutch Society for the Study of Color, The Swedish Colour Centre Foundation, Colour Society of Australia, Centre Français de la Couleur 26, 340--350.
  50. Lambertian-based adversarial attacks on deep-learning-based underwater side-scan sonar image classification. Pattern Recognition 138, 109363. URL: https://www.sciencedirect.com/science/article/pii/S003132032300064X, doi:https://doi.org/10.1016/j.patcog.2023.109363.
  51. Deepfool: a simple and accurate method to fool deep neural networks, in: Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 2574--2582.
  52. NASA, 2015. Pluto: The ’other’ red planet. https://www.nasa.gov/nh/pluto-the-other-red-planet. Accessed: 2018-12-06.
  53. Fuzzy communities and the concept of bridgeness in complex networks. Phys. Rev. E. 77, 016107.
  54. Network data. http://www-personal.umich.edu/~mejn/netdata/.
  55. Finding and evaluating community structure in networks. Phys. Rev. E. 69, 026113.
  56. Input-aware dynamic backdoor attack. Advances in Neural Information Processing Systems 33, 3454--3464.
  57. Wanet - imperceptible warping-based backdoor attack, in: International Conference on Learning Representations. URL: https://openreview.net/forum?id=eEn8KTtJOx.
  58. The limitations of deep learning in adversarial settings, in: 2016 IEEE European symposium on security and privacy (EuroS&P), IEEE. pp. 372--387.
  59. Deepxplore: Automated whitebox testing of deep learning systems, in: proceedings of the 26th Symposium on Operating Systems Principles, pp. 1--18.
  60. Overlapping community detection using bayesian non-negative matrix factorization. Phys. Rev. E. 83, 066114.
  61. Near linear time algorithm to detect community structures in large-scale networks. Phys. Rev E. 76, 036106.
  62. Poligon: A System for Parallel Problem Solving. Technical Report KSL-86-19. Dept. of Computer Science, Stanford Univ.
  63. New ways to make microcircuits smaller. Science 208, 1019--1022. URL: https://science.sciencemag.org/content/208/4447/1019, doi:10.1126/science.208.4447.1019, arXiv:https://science.sciencemag.org/content/208/4447/1019.full.pdf.
  64. New Ways to Make Microcircuits Smaller---Duplicate Entry. Science 208, 1019--1026.
  65. Decoupling direction and norm for efficient gradient-based l2 adversarial attacks and defenses, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 4322--4330.
  66. Grad-cam: Visual explanations from deep networks via gradient-based localization, in: Proceedings of the IEEE international conference on computer vision, pp. 618--626.
  67. Mastering the game of go with deep neural networks and tree search. nature 529, 484--489.
  68. General optimization technique for high-quality community detection in complex networks. Phys. Rev. E. 90, 012811.
  69. Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural networks 32, 323--332.
  70. Identification of overlapping and non-overlapping community structure by fuzzy clustering in complex networks. Inf. Sci. 181, 1060--1071.
  71. Going deeper with convolutions, in: Proceedings of the IEEE conference on computer vision and pattern recognition, pp. 1--9.
  72. Efficientnet: Rethinking model scaling for convolutional neural networks, in: International conference on machine learning, PMLR. pp. 6105--6114.
  73. Efficientnetv2: Smaller models and faster training, in: International Conference on Machine Learning, PMLR. pp. 10096--10106.
  74. Spectral signatures in backdoor attacks. Advances in neural information processing systems 31.
  75. Visualizing fuzzy overlapping communities in networks. IEEE Trans. Vis. Comput. Graph. 19, 2486--2495.
  76. Robust network community detection using balanced propagation. Eur. Phys. J. B. 81, 353--362.
  77. Unfolding communities in large complex networks: Combining defensive and offensive label propagation for core extraction. Phys. Rev. E. 83, 036103.
  78. Ubiquitousness of link-density and link-pattern communities in real-world networks. Eur. Phys. J. B. 85, 1--11.
  79. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks, in: 2019 IEEE Symposium on Security and Privacy (SP), IEEE. pp. 707--723.
  80. Fuzzy overlapping community detection based on local random walk and multidimensional scaling. Physica A. 392, 6578--6586.
  81. Detecting communities by the core-vertex and intimate degree in complex networks. Physica A. 392, 2555--2563.
  82. Perception matters: Exploring imperceptible and transferable anti-forensics for gan-generated fake face imagery detection. Pattern Recognition Letters 146, 15--22.
  83. Reaching a better trade-off between image quality and attack success rates in transfer-based adversarial attacks, in: 2022 IEEE Data Science and Learning Workshop (DSLW), IEEE. pp. 1--6.
  84. Image quality assessment: from error visibility to structural similarity. IEEE transactions on image processing 13, 600--612.
  85. Bppattack: Stealthy and efficient trojan attacks against deep neural networks via image quantization and contrastive adversarial learning, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 15074--15084.
  86. Backdoorbench: A comprehensive benchmark of backdoor learning. Advances in Neural Information Processing Systems 35, 10546--10559.
  87. Achieving human parity in conversational speech recognition. arXiv preprint arXiv:1610.05256 .
  88. Adversarial examples: Attacks and defenses for deep learning. IEEE transactions on neural networks and learning systems 30, 2805--2824.
  89. Adversarial examples: Opportunities and challenges. IEEE transactions on neural networks and learning systems 31, 2578--2593.
  90. Advdoor: adversarial backdoor attack of deep learning system, in: Proceedings of the 30th ACM SIGSOFT International Symposium on Software Testing and Analysis, pp. 127--138.
  91. Identification of overlapping community structure in complex networks using fuzzy c-means clustering. Physica A. 374, 483--490.
  92. Overlapping community detection via bounded nonnegative matrix tri-factorization, in: In Proc. ACM SIGKDD Conf., pp. 606--614.
  93. Towards large yet imperceptible adversarial image perturbations with perceptual color distance, in: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 1039--1048.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (4)
  1. Jingke Zhao (2 papers)
  2. Zan Wang (21 papers)
  3. Yongwei Wang (24 papers)
  4. Lanjun Wang (36 papers)
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets