Go to OpenReview Archive homepageCASSOCK: Viable Backdoor Attacks against DNN in the Wall of Source-Specific Backdoor Defenses
Abstract: As a critical threat to deep neural networks (DNNs), backdoor attacks can be categorized into two types, i.e., source-agnostic backdoor attacks (SABAs) and source-specific backdoor attacks (SSBAs). Compared to traditional SABAs, SSBAs are more advanced in that they have superior stealthier in bypassing mainstream countermeasures that are effective against SABAs. Nonetheless, existing SSBAs suffer from two major limitations. First, they can hardly achieve a good trade-off between ASR (attack success rate) and FPR (false positive rate). Besides, they can be effectively detected by the state-of-the-art (SOTA) countermeasures (e.g., SCAn [40]).
To address the limitations above, we propose a new class of viable source-specific backdoor attacks coined as πΆπ΄ππππΆπΎ. Our
key insight is that trigger designs when creating poisoned data and cover data in SSBAs play a crucial role in demonstrating a viable source-specific attack, which has not been considered by existing SSBAs. With this insight, we focus on trigger transparency and
content when crafting triggers for poisoned dataset where a sample has an attacker-targeted label and cover dataset where a sample has a ground-truth label. Specifically, we implement πΆπ΄ππππΆπΎπ ππππ that designs a trigger with heterogeneous transparency to craft poisoned and cover datasets, presenting better attack performance than existing SSBAs. We also propose πΆπ΄ππππΆπΎπΆπππ‘ that extracts salient features of the attacker-targeted label to generate a trigger, entangling the trigger features with normal features of the label, which is stealthier in bypassing the SOTA defenses. While both πΆπ΄ππππΆπΎπ ππππ and πΆπ΄ππππΆπΎπΆπππ‘ are orthogonal, they are complementary to each other, generating a more powerful attack, called πΆπ΄ππππΆπΎπΆπππ , with further improved attack performance and stealthiness. To demonstrate their viability, we perform a comprehensive evaluation of the threeπΆπ΄ππππΆπΎ-based attacks on four popular datasets (i.e., MNIST, CIFAR10, GTSRB and LFW) and three SOTA defenses (i.e., extended Neural Cleanse [45], Februus [8], and SCAn [40]). Compared with a representative SSBA as a baseline (πππ΅π΄π΅ππ π ), πΆπ΄ππππΆπΎ-based attacks have significantly advanced the attack performance, i.e., higher ASR and lower FPR with comparable CDA (clean data accuracy). Besides, πΆπ΄ππππΆπΎ-based attacks have effectively bypassed the SOTA defenses, and πππ΅π΄π΅ππ π cannot.
0 Replies
Loading