A Dual Stealthy Backdoor: From Both Spatial and Frequency Perspectives

Authors

  • Yudong Gao College of Control Science and Engineering, China University of Petroleum (East China), P.R. China
  • Honglong Chen College of Control Science and Engineering, China University of Petroleum (East China), P.R. China
  • Peng Sun College of Computer Science and Electronic Engineering, Hunan University, P.R. China
  • Junjian Li College of Control Science and Engineering, China University of Petroleum (East China), P.R. China
  • Anqing Zhang College of Control Science and Engineering, China University of Petroleum (East China), P.R. China
  • Zhibo Wang School of Cyber Science and Technology, Zhejiang University, P.R. China
  • Weifeng Liu College of Control Science and Engineering, China University of Petroleum (East China), P.R. China

DOI:

https://doi.org/10.1609/aaai.v38i3.27954

Keywords:

CV: Adversarial Attacks & Robustness, CV: Object Detection & Categorization

Abstract

Backdoor attacks pose serious security threats to deep neural networks (DNNs). Backdoored models make arbitrarily (targeted) incorrect predictions on inputs containing well-designed triggers, while behaving normally on clean inputs. Prior researches have explored the invisibility of backdoor triggers to enhance attack stealthiness. However, most of them only focus on the invisibility in the spatial domain, neglecting the generation of invisible triggers in the frequency domain. This limitation renders the generated poisoned images easily detectable by recent defense methods. To address this issue, we propose a DUal stealthy BAckdoor attack method named DUBA, which simultaneously considers the invisibility of triggers in both the spatial and frequency domains, to achieve desirable attack performance, while ensuring strong stealthiness. Specifically, we first use Wavelet Transform to embed the high-frequency information of the trigger image into the clean image to ensure attack effectiveness. Then, to attain strong stealthiness, we incorporate Fourier Transform and Cosine Transform to mix the poisoned image and clean image in the frequency domain. Moreover, DUBA adopts a novel attack strategy, training the model with weak triggers and attacking with strong triggers to further enhance attack performance and stealthiness. DUBA is evaluated extensively on four datasets against popular image classifiers, showing significant superiority over state-of-the-art backdoor attacks in attack success rate and stealthiness.
AAAI-24 / IAAI-24 / EAAI-24 Proceedings Cover

Downloads

Published

2024-03-24

How to Cite

Gao, Y., Chen, H., Sun, P., Li, J., Zhang, A., Wang, Z., & Liu, W. (2024). A Dual Stealthy Backdoor: From Both Spatial and Frequency Perspectives. Proceedings of the AAAI Conference on Artificial Intelligence, 38(3), 1851-1859. https://doi.org/10.1609/aaai.v38i3.27954

Issue

Vol. 38 No. 3: AAAI-24 Technical Tracks 3

Section

AAAI Technical Track on Computer Vision II