LOTUS: Evasive and Resilient Backdoor Attacks through Sub-Partitioning

Siyuan Cheng; Guanhong Tao; Yingqi Liu; Guangyu Shen; Shengwei An; Shiwei Feng; Xiangzhe Xu; Kaiyuan Zhang; Shiqing Ma; Xiangyu Zhang

LOTUS: Evasive and Resilient Backdoor Attacks through Sub-Partitioning

Siyuan Cheng, Guanhong Tao, Yingqi Liu, Guangyu Shen, Shengwei An, Shiwei Feng, Xiangzhe Xu, Kaiyuan Zhang, Shiqing Ma, Xiangyu Zhang

21 Sept 2023 (modified: 25 Mar 2024)ICLR 2024 Conference Withdrawn SubmissionEveryoneRevisionsBibTeX

Keywords: Backdoor attack

Abstract: Backdoor attack poses a significant security threat to Deep Learning applications. Existing attacks are often not resilient to established backdoor detection and mitigation approaches. This susceptibility primarily stems from the fact that these attacks typically possess an unbounded or under-bounded attack scope. In other words, the trigger can cause misclassification for any input. This unbounded nature implies that the backdoored model overly emphasizes on spurious features of the trigger (e.g., only the color of a square patch), on which trigger inversion techniques can effortlessly generate effective triggers. In addition, the unbounded attack effects can be easily mitigated by backdoor removal methods. In this paper, we propose a novel backdoor attack LOTUS that is evasive and resilient by restricting the attack scope. Specifically, it leverages a secret function to separate samples in the victim class into a set of partitions and applies unique triggers to different partitions. Furthermore, LOTUS incorporates an effective trigger focusing mechanism, ensuring only the trigger corresponding to the partition can induce the backdoor behavior. Extensive experimental results show that LOTUS can achieve high attack success rate across 4 datasets and 7 model structures, and effectively evading 13 backdoor detection and mitigation techniques.

Primary Area: societal considerations including fairness, safety, privacy

Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics.

Submission Guidelines: I certify that this submission complies with the submission instructions as described on https://iclr.cc/Conferences/2024/AuthorGuide.

Anonymous Url: I certify that there is no URL (e.g., github page) that could be used to find authors' identity.

No Acknowledgement Section: I certify that there is no acknowledgement section in this submission for double blind review.

Submission Number: 3086

Loading