Papers
Topics
Authors
Recent
2000 character limit reached

Spy-Watermark: Robust Invisible Watermarking for Backdoor Attack (2401.02031v1)

Published 4 Jan 2024 in cs.CV

Abstract: Backdoor attack aims to deceive a victim model when facing backdoor instances while maintaining its performance on benign data. Current methods use manual patterns or special perturbations as triggers, while they often overlook the robustness against data corruption, making backdoor attacks easy to defend in practice. To address this issue, we propose a novel backdoor attack method named Spy-Watermark, which remains effective when facing data collapse and backdoor defense. Therein, we introduce a learnable watermark embedded in the latent domain of images, serving as the trigger. Then, we search for a watermark that can withstand collapse during image decoding, cooperating with several anti-collapse operations to further enhance the resilience of our trigger against data corruption. Extensive experiments are conducted on CIFAR10, GTSRB, and ImageNet datasets, demonstrating that Spy-Watermark overtakes ten state-of-the-art methods in terms of robustness and stealthiness.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (24)
  1. “Badnets: Identifying vulnerabilities in the machine learning model supply chain,” arXiv preprint arXiv:1708.06733, 2017.
  2. “Targeted backdoor attacks on deep learning systems using data poisoning,” arXiv preprint arXiv:1712.05526, 2017.
  3. “Backdoor attack against speaker verification,” in ICASSP 2021-2021 IEEE International Conference on Acoustics, Speech and Signal Processing (ICASSP). IEEE, 2021, pp. 2560–2564.
  4. “Adversarial camouflage: Hiding physical-world attacks with natural styles,” in Proceedings of the IEEE/CVF CVPR, 2020, pp. 1000–1008.
  5. “Adversarial attacks on medical machine learning,” Science, vol. 363, no. 6433, pp. 1287–1289, 2019.
  6. “An overview of backdoor attacks against deep neural networks and possible defences,” IEEE Open Journal of Signal Processing, 2022.
  7. “Invisible backdoor attacks on deep neural networks via steganography and regularization,” IEEE TDSC, vol. 18, no. 5, pp. 2088–2105, 2020.
  8. “Backdoor embedding in convolutional neural network models via invisible perturbation,” in Proceedings of the Tenth ACM CODASPY, 2020, pp. 97–108.
  9. “Invisible backdoor attack with sample-specific triggers,” in Proceedings of the IEEE/CVF ICCV, 2021, pp. 16463–16472.
  10. “Fiba: Frequency-injection based backdoor attack in medical image analysis,” in Proceedings of the IEEE/CVF CVPR, 2022, pp. 20876–20885.
  11. “Poison ink: Robust and invisible backdoor attack,” IEEE TIP, vol. 31, pp. 5691–5705, 2022.
  12. “Reflection backdoor: A natural backdoor attack on deep neural networks,” in ECCV. Springer, 2020, pp. 182–199.
  13. “Blindnet backdoor: Attack on deep neural network using blind watermark,” Multimedia Tools and Applications, pp. 1–18, 2022.
  14. “A new backdoor attack in cnns by training set corruption without label poisoning,” in ICIP. IEEE, 2019, pp. 101–105.
  15. “Backdoor attack through frequency domain,” arXiv preprint arXiv:2111.10991, 2021.
  16. “Rethinking the backdoor attacks’ triggers: A frequency perspective,” in Proceedings of the IEEE/CVF ICCV, 2021, pp. 16473–16481.
  17. “Wanet-imperceptible warping-based backdoor attack,” in ICLR, 2020.
  18. “Marksman backdoor: Backdoor attacks with arbitrary target class,” in NIPS, 2022.
  19. “Learning multiple layers of features from tiny images,” Technical report, University of Toronto, 2009.
  20. “The german traffic sign recognition benchmark: a multi-class classification competition,” in The 2011 IJCNN. IEEE, 2011, pp. 1453–1460.
  21. “Imagenet: A large-scale hierarchical image database,” in Proceedings of the IEEE/CVF CVPR. Ieee, 2009, pp. 248–255.
  22. “Deep residual learning for image recognition,” in Proceedings of the IEEE/CVF CVPR, 2016, pp. 770–778.
  23. “Pytorch: An imperative style, high-performance deep learning library,” NIPS, vol. 32, 2019.
  24. “Neural cleanse: Identifying and mitigating backdoor attacks in neural networks,” in 2019 IEEE Symposium on Security and Privacy (SP). IEEE, 2019, pp. 707–723.
Citations (4)
View on Semantic Scholar

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
Slide Deck Streamline Icon: https://streamlinehq.com

Whiteboard

Dice Question Streamline Icon: https://streamlinehq.com

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
Lightbulb Streamline Icon: https://streamlinehq.com

Continue Learning

We haven't generated follow-up questions for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Generate Now
List To Do Tasks Checklist Streamline Icon: https://streamlinehq.com

Collections

Sign up for free to add this paper to one or more collections.

User Circle Single Streamline Icon: https://streamlinehq.com Sign Up