Skip to main content
SpringerLink
Log in

A stealthy and robust backdoor attack via frequency domain transform

  • Published:
World Wide Web Aims and scope Submit manuscript

Abstract

Deep learning models are vulnerable to backdoor attacks, where an adversary aims to inject a hidden backdoor into the deep learning models, such that the victim models perform well on clean data but output predefined wrong results on data containing specific triggers (e.g., a pattern, or a specific accessory). While existing attack methods are effective, they are commonly not stealthy and robust, i.e., the backdoor triggers are unnatural and easily detected, and they are hard to resist data augmentation operations. To address these issues, in this paper, we explore new types of attack methods that significantly improve the stealthiness and robustness of backdoor attacks. Specifically, inspired by digital watermarking techniques, we propose two backdoor trigger injection algorithms based on discrete Fourier transform and discrete cosine transform. These algorithms select the frequency domain instead of the spatial domain for trigger injection, ensuring the stealthiness. Besides they divide the original data into multiple data blocks for multiple injections of triggers to improve the robustness. We experimentally evaluated the proposed methods on GTSRB and CIFAR10 datasets, and the results demonstrate that our methods remarkably improve the stealthiness and robustness of backdoor attacks without compromising effectiveness. For example, on GTSRB, compared with the Badnets and Blend, our methods generate more natural poisoned data, and improve at least 80.99%, 68.09%, 25.49%, and 63.31% in random horizontal flip, random vertical flip, random cropping (padding=2), and random cropping (padding=4).

This is a preview of subscription content, log in via an institution to check access.

Access this article

Log in via an institution

Price excludes VAT (USA)
Tax calculation will be finalised during checkout.

Instant access to the full article PDF.

Institutional subscriptions

Fig. 1
Fig. 2
Fig. 3
Fig. 4
Fig. 5
Fig. 6
Fig. 7
Fig. 8
Fig. 9

Similar content being viewed by others

Availability of data and material

The datasets used or analysed during the current study are available from the corresponding author on reasonable request.

References

  1. Dargan, S., Kumar, M., Ayyagari, M.R., Kumar, G.: A survey of deep learning and its applications: a new paradigm to machine learning. Archives of Computational Methods in Engineering 27(4), 1071–1092 (2020)

    Article  MathSciNet  Google Scholar 

  2. Hu, L., Yan, H., Li, L., Pan, Z., Liu, X., Zhang, Z.: MHAT: an efficient model-heterogenous aggregation training scheme for federated learning. Inf. Sci. 560, 493–503 (2021)

    Article  MathSciNet  Google Scholar 

  3. Li, T., Li, J., Chen, X., Liu, Z., Lou, W., Hou, Y.T.: Npmml: A framework for non-interactive privacy-preserving multi-party machine learning. IEEE Trans. Dependable Secure Comput. 18(6), 2969–2982 (2020)

    Google Scholar 

  4. Gao, C., Li, J., Xia, S., Choo, K.-K.R., Lou, W., Dong, C.: Mas-encryption and its applications in privacy-preserving classifiers. IEEE Trans. Knowl. Data Eng. 34(5), 2306–2323 (2022)

    Article  Google Scholar 

  5. Liang, C., Miao, M., Ma, J., Yan, H., Zhang, Q., Li, X.: Detection of global positioning system spoofing attack on unmanned aerial vehicle system. Concurrency and Computation: Practice and Experience 34(7), 5925 (2022)

    Article  Google Scholar 

  6. Lauriola, I., Lavelli, A., Aiolli, F.: An introduction to deep learning in natural language processing: models, techniques, and tools. Neurocomputing 470, 443–456 (2022)

    Article  Google Scholar 

  7. Ning, F., Shi, Y., Cai, M., Xu, W., Zhang, X.: Manufacturing cost estimation based on a deep-learning method. J. Manuf. Syst. 54, 186–195 (2020)

    Article  Google Scholar 

  8. Ribeiro, M., Grolinger, K., Capretz, M.A.: Mlaas: Machine learning as a service. In: 2015 IEEE 14th International Conference on Machine Learning and Applications (ICMLA), pp. 896–902 (2015). IEEE

  9. Yan, H., Hu, L., Xiang, X., Liu, Z., Yuan, X.: Ppcl: Privacy-preserving collaborative learning for mitigating indirect information leakage. Inf. Sci. 548, 423–437 (2021)

    Article  MathSciNet  Google Scholar 

  10. Li, Y., Yan, H., Huang, T., Pan, Z., Lai, J., Zhang, X., Chen, K., Li, J.: Model architecture level privacy leakage in neural networks. SCIENCE CHINA Inf. Sci. (2022). https://doi.org/10.1007/s11432-022-3507-7

    Article  Google Scholar 

  11. Yan, H., Jiang, N., Li, K., Wang, Y., Yang, G.: Collusion-free for cloud verification toward the view of game theory. ACM Transactions on Internet Technology (TOIT) 22(2), 1–21 (2021)

    Article  Google Scholar 

  12. Li, J., Huang, Y., Wei, Y., Lv, S., Liu, Z., Dong, C., Lou, W.: Searchable symmetric encryption with forward search privacy. IEEE Trans. Dependable Secure Comput. 18(1), 460–474 (2019)

    Article  Google Scholar 

  13. Zhang, X., Chen, X., Yan, H., Xiang, Y.: Privacy-preserving and verifiable online crowdsourcing with worker updates. Inf. Sci. 548, 212–232 (2021)

    Article  Google Scholar 

  14. Gu, T., Dolan-Gavitt, B., Garg, S.: Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017)

  15. Katzenbeisser, S., Petitcolas, F.: Digital watermarking. Artech House, London 2, 2 (2000)

    Google Scholar 

  16. Podilchuk, C.I., Delp, E.J.: Digital watermarking: algorithms and applications. IEEE Signal Process. Mag. 18(4), 33–46 (2001)

    Article  Google Scholar 

  17. Chen, X., Liu, C., Li, B., Lu, K., Song, D.: Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526 (2017)

  18. Liu, Y., Ma, S., Aafer, Y., Lee, W.-C., Zhai, J., Wang, W., Zhang, X.: Trojaning attack on neural networks. In: Network and Distributed System Security Symposium (2018). 10.14722/ndss.2018.23291

  19. Li, Y., Wu, B., Jiang, Y., Li, Z., Xia, S.-T.: Backdoor learning: A survey. arXiv preprint arXiv:2007.08745 (2020)

  20. Bagdasaryan, E., Veit, A., Hua, Y., Estrin, D., Shmatikov, V.: How to backdoor federated learning. In: International Conference on Artificial Intelligence and Statistics, pp. 2938–2948 (2020). PMLR

  21. Turner, A., Tsipras, D., Madry, A.: Label-consistent backdoor attacks. arXiv preprint arXiv:1912.02771 (2019)

  22. Saha, A., Subramanya, A., Pirsiavash, H.: Hidden trigger backdoor attacks. In: Proceedings of the AAAI Conference on Artificial Intelligence, vol. 34, pp. 11957–11965 (2020)

  23. Quiring, E., Rieck, K.: Backdooring and poisoning neural networks with image-scaling attacks. In: 2020 IEEE Security and Privacy Workshops (SPW), pp. 41–47 (2020). IEEE

  24. Zhong, H., Liao, C., Squicciarini, A.C., Zhu, S., Miller, D.: Backdoor embedding in convolutional neural network models via invisible perturbation. In: Proceedings of the Tenth ACM Conference on Data and Application Security and Privacy, pp. 97–108 (2020)

  25. Moosavi-Dezfooli, S.-M., Fawzi, A., Fawzi, O., Frossard, P.: Universal adversarial perturbations. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 1765–1773 (2017)

  26. Liu, Y., Ma, X., Bailey, J., Lu, F.: Reflection backdoor: A natural backdoor attack on deep neural networks. In: European Conference on Computer Vision, pp. 182–199 (2020). Springer

  27. Li, Y., Li, Y., Wu, B., Li, L., He, R., Lyu, S.: Invisible backdoor attack with sample-specific triggers. In: Proceedings of the IEEE/CVF International Conference on Computer Vision, pp. 16463–16472 (2021)

  28. Hou, R., Ai, S., Chen, Q., Yan, H., Huang, T., Chen, K.: Similarity-based integrity protection for deep learning systems. Inf. Sci. 601, 255–267 (2022)

    Article  Google Scholar 

  29. Liu, Y., Xie, Y., Srivastava, A.: Neural trojans. In: 2017 IEEE International Conference on Computer Design (ICCD), pp. 45–48 (2017). IEEE

  30. Doan, B.G., Abbasnejad, E., Ranasinghe, D.C.: Februus: Input purification defense against trojan attacks on deep neural network systems. In: Annual Computer Security Applications Conference, pp. 897–912 (2020)

  31. Li, Y., Zhai, T., Wu, B., Jiang, Y., Li, Z., Xia, S.: Rethinking the trigger of backdoor attack. arXiv preprint arXiv:2004.04692 (2020)

  32. Wang, B., Yao, Y., Shan, S., Li, H., Viswanath, B., Zheng, H., Zhao, B.Y.: Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In: 2019 IEEE Symposium on Security and Privacy (SP), pp. 707–723 (2019). IEEE

  33. Kolouri, S., Saha, A., Pirsiavash, H., Hoffmann, H.: Universal litmus patterns: Revealing backdoor attacks in cnns. In: Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pp. 301–310 (2020)

  34. Huang, X., Alzantot, M., Srivastava, M.: Neuroninspect: Detecting backdoors in neural networks via output explanations. arXiv preprint arXiv:1911.07399 (2019)

  35. Liu, K., Dolan-Gavitt, B., Garg, S.: Fine-pruning: Defending against backdooring attacks on deep neural networks. In: International Symposium on Research in Attacks, Intrusions, and Defenses, pp. 273–294 (2018). Springer

  36. Du, M., Jia, R., Song, D.: Robust anomaly detection and backdoor attack detection via differential privacy. arXiv preprint arXiv:1911.07116 (2019)

  37. Li, J., Ye, H., Li, T., Wang, W., Lou, W., Hou, Y.T., Liu, J., Lu, R.: Efficient and secure outsourcing of differentially private data publishing with multiple evaluators. IEEE Trans. Dependable Secure Comput. 19(1), 67–76 (2022)

    Article  Google Scholar 

  38. Lin, G., Yan, H., Kou, G., Huang, T., Peng, S., Zhang, Y., Dong, C.: Understanding adaptive gradient clipping in DP-SGD, empirically. Int. J. Intell. Syst. (2022). https://doi.org/10.1002/int.23001

    Article  Google Scholar 

  39. Chen, B., Carvalho, W., Baracaldo, N., Ludwig, H., Edwards, B., Lee, T., Molloy, I., Srivastava, B.: Detecting backdoor attacks on deep neural networks by activation clustering. arXiv preprint arXiv:1811.03728 (2018)

  40. Gao, Y., Xu, C., Wang, D., Chen, S., Ranasinghe, D.C., Nepal, S.: Strip: A defence against trojan attacks on deep neural networks. In: Proceedings of the 35th Annual Computer Security Applications Conference, pp. 113–125 (2019)

  41. Van Schyndel, R.G., Tirkel, A.Z., Osborne, C.F.: A digital watermark. In: Proceedings of 1st International Conference on Image Processing, vol. 2, pp. 86–90 (1994). IEEE

  42. Bender, W., Gruhl, D., Morimoto, N., Lu, A.: Techniques for data hiding. IBM Syst. J. 35(3.4), 313–336 (1996)

    Article  Google Scholar 

  43. Cox, I.J., Kilian, J., Leighton, F.T., Shamoon, T.: Secure spread spectrum watermarking for multimedia. IEEE Trans. Image Process. 6(12), 1673–1687 (1997)

    Article  Google Scholar 

  44. Ruanaidh, J., Dowling, W., Boland, F.M.: Phase watermarking of digital images. In: Proceedings of 3rd IEEE International Conference on Image Processing, vol. 3, pp. 239–242 (1996). IEEE

  45. Kundur, D., Hatzinakos, D.: Digital watermarking using multiresolution wavelet decomposition. In: Proceedings of the 1998 IEEE International Conference on Acoustics, Speech and Signal Processing, ICASSP’98 (Cat. No. 98CH36181), vol. 5, pp. 2969–2972 (1998). IEEE

  46. Stallkamp, J., Schlipsing, M., Salmen, J., Igel, C.: Man vs. computer: Benchmarking machine learning algorithms for traffic sign recognition. Neural Netw. 32, 323–332 (2012)

    Article  Google Scholar 

  47. Krizhevsky, A., Hinton, G.: Learning multiple layers of features from tiny images. Technical report, University of Toronto (2009)

  48. He, K., Zhang, X., Ren, S., Sun, J.: Deep residual learning for image recognition. In: Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition, pp. 770–778 (2016)

Download references

Acknowledgements

Not applicable.

Funding

This work was supported by the National Natural Science Foundation of China (No.62002074, No.62102107).

Author information

Authors and Affiliations

  1. Institute of Artificial Intelligence and Blockchain, Guangzhou University, Guangzhou, 510006, China

    Ruitao Hou, Teng Huang, Hongyang Yan & Weixuan Tang

  2. School of Mathematics and Information Science, Guangzhou University, Guangzhou, 510006, China

    Lishan Ke

Authors
  1. Ruitao Hou
    View author publications

    You can also search for this author in PubMed Google Scholar

  2. Teng Huang
    View author publications

    You can also search for this author in PubMed Google Scholar

  3. Hongyang Yan
    View author publications

    You can also search for this author in PubMed Google Scholar

  4. Lishan Ke
    View author publications

    You can also search for this author in PubMed Google Scholar

  5. Weixuan Tang
    View author publications

    You can also search for this author in PubMed Google Scholar

Contributions

Ruitao Hou provided the main idea, designed the methodology and experiments, and prepared the manuscript. Teng Huang conducted the experimental analysis and manuscript preparation. Hongyang Yan and Lishan Ke performed the data analysis, edited and reviewed the manuscript. Weixuan Tang conducted the visualization analysis and drew the pictures in the manuscript.

Corresponding authors

Correspondence to Hongyang Yan or Lishan Ke.

Ethics declarations

Ethics approval

Not applicable for both human and/or animal studies.

Competing interests

The authors declare that they have no competing interests.

Additional information

Publisher's Note

Springer Nature remains neutral with regard to jurisdictional claims in published maps and institutional affiliations.

This article belongs to the Topical Collection: Special Issue on Privacy and Security in Machine Learning

Guest Editors: Jin Li, Francesco Palmieri and Changyu Dong.

Rights and permissions

Springer Nature or its licensor (e.g. a society or other partner) holds exclusive rights to this article under a publishing agreement with the author(s) or other rightsholder(s); author self-archiving of the accepted manuscript version of this article is solely governed by the terms of such publishing agreement and applicable law.

Reprints and permissions

About this article

Check for updates. Verify currency and authenticity via CrossMark

Cite this article

Hou, R., Huang, T., Yan, H. et al. A stealthy and robust backdoor attack via frequency domain transform. World Wide Web 26, 2767–2783 (2023). https://doi.org/10.1007/s11280-023-01153-3

Download citation

  • Received:

  • Revised:

  • Accepted:

  • Published:

  • Issue Date:

  • DOI: https://doi.org/10.1007/s11280-023-01153-3

Keywords

Search

Navigation