Shortcuts Everywhere and Nowhere: Exploring Multi-Trigger Backdoor Attacks (2401.15295v3)
Abstract: Backdoor attacks have become a significant threat to the pre-training and deployment of deep neural networks (DNNs). Although numerous methods for detecting and mitigating backdoor attacks have been proposed, most rely on identifying and eliminating the ``shortcut" created by the backdoor, which links a specific source class to a target class. However, these approaches can be easily circumvented by designing multiple backdoor triggers that create shortcuts everywhere and therefore nowhere specific. In this study, we explore the concept of Multi-Trigger Backdoor Attacks (MTBAs), where multiple adversaries leverage different types of triggers to poison the same dataset. By proposing and investigating three types of multi-trigger attacks including \textit{parallel}, \textit{sequential}, and \textit{hybrid} attacks, we demonstrate that 1) multiple triggers can coexist, overwrite, or cross-activate one another, and 2) MTBAs easily break the prevalent shortcut assumption underlying most existing backdoor detection/removal methods, rendering them ineffective. Given the security risk posed by MTBAs, we have created a multi-trigger backdoor poisoning dataset to facilitate future research on detecting and mitigating these attacks, and we also discuss potential defense strategies against MTBAs. Our code is available at \url{https://github.com/bboylyg/Multi-Trigger-Backdoor-Attacks}.
- A new backdoor attack in cnns by training set corruption without label poisoning. In ICIP, 2019.
- Coyo-700m: Image-text pair dataset. https://github.com/kakaobrain/coyo-dataset, 2022.
- Poisoning web-scale training datasets is practical. arXiv preprint arXiv:2302.10149, 2023.
- Listen, attend and spell: A neural network for large vocabulary conversational speech recognition. In ICASSP, 2016.
- Detecting backdoor attacks on deep neural networks by activation clustering. In AAAI Workshop, 2019.
- Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526, 2017.
- Deep feature space trojan attack of neural networks by controlled detoxification. In AAAI, 2021.
- Imagenet: A large-scale hierarchical image database. In CVPR, 2009.
- Bert: Pre-training of deep bidirectional transformers for language understanding. In NAACL, 2019.
- An image is worth 16x16 words: Transformers for image recognition at scale. 2021.
- Strip: A defence against trojan attacks on deep neural networks. In ACSAC, 2019.
- Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733, 2017.
- Tabor: A highly accurate approach to inspecting and restoring trojan backdoors in ai systems. arXiv preprint arXiv:1908.01763, 2019.
- Deep residual learning for image recognition. In CVPR, 2016.
- Mobilenets: Efficient convolutional neural networks for mobile vision applications. arXiv preprint arXiv:1704.04861, 2017.
- Distilling cognitive backdoor patterns within an image. ICLR, 2023.
- Backdoor defense via decoupling the training process. In ICLR, 2022.
- Rethinking the trigger of backdoor attack. arXiv preprint arXiv:2004.04692, 2020.
- Invisible backdoor attack with sample-specific triggers. In ICCV, pp. 16463–16472, 2021a.
- Anti-backdoor learning: Training clean models on poisoned data. In NeurIPS, 2021b.
- Neural attention distillation: Erasing backdoor triggers from deep neural networks. In ICLR, 2021c.
- Backdoor learning: A survey. TNNLS, 2022.
- Reconstructive neuron pruning for backdoor defense. In ICML, 2023.
- Composite backdoor attack for deep neural network by mixing existing benign features. In CCS, 2020.
- Fine-pruning: Defending against backdooring attacks on deep neural networks. In RAID, 2018a.
- Trojaning attack on neural networks. In NDSS, 2018b.
- Abs: Scanning neural networks for back-doors by artificial brain stimulation. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, pp. 1265–1282, 2019.
- Reflection backdoor: A natural backdoor attack on deep neural networks. In ECCV, 2020.
- Language models are few-shot learners. 2020.
- Input-aware dynamic backdoor attack. In NeurIPS, 2020.
- Wanet–imperceptible warping-based backdoor attack. In ICLR, 2021.
- Laion-400m: Open dataset of clip-filtered 400 million image-text pairs. arXiv preprint arXiv:2111.02114, 2021.
- Spectral signatures in backdoor attacks. In NeurIPS, 2018.
- Clean-label backdoor attacks. https://people.csail.mit.edu/madry/lab/, 2019.
- Visualizing data using t-sne. Journal of machine learning research, 9(11), 2008.
- Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In S&P. IEEE, 2019.
- Mm-bd: Post-training detection of backdoor attacks with arbitrary backdoor pattern types using a maximum margin statistic. In Symposium on Security and Privacy (SP), 2023.
- Adversarial neuron pruning purifies backdoored deep models. NeurIPS, 2021.
- Umd: Unsupervised model detection for x2x backdoor attacks. In ICML, 2023.
- Detecting ai trojans using meta neural analysis. In S&P, 2021.
- One-to-n & n-to-one: Two advanced backdoor attacks against deep learning models. TDSC, 2020.
- Rethinking the backdoor attacks’ triggers: A frequency perspective. In ICCV, 2021.
- Data-free backdoor removal based on channel lipschitzness. In ECCV, 2022.
Collections
Sign up for free to add this paper to one or more collections.