Rethinking the Trigger of Backdoor Attack
Keywords: Backdoor Attack, Backdoor Defense, Security, Deep Learning
Abstract: Backdoor attack intends to inject hidden backdoor into the deep neural networks (DNNs), such that the prediction of the infected model will be maliciously changed if the hidden backdoor is activated by the attacker-defined trigger, while it performs well on benign samples. Currently, most of existing backdoor attacks adopted the setting of \emph{static} trigger, $i.e.,$ triggers across the training and testing images follow the same appearance and are located in the same area. In this paper, we revisit this attack paradigm by analyzing the characteristics of the static trigger. We demonstrate that such an attack paradigm is vulnerable when the trigger in testing images is not consistent with the one used for training. We further explore how to utilize this property for backdoor defense, and discuss how to alleviate such vulnerability of existing attacks. We hope that this work could inspire more explorations on backdoor properties, to help the design of more advanced backdoor defense and attack methods.
One-sentence Summary: We demonstrate that existing backdoor attacks are vulnerable when the trigger in testing images is not consistent with the one used for training, based on which we explore how to utilize this property for defense and improve such vulnerability.
Code Of Ethics: I acknowledge that I and all co-authors of this work have read and commit to adhering to the ICLR Code of Ethics
Community Implementations: [ 5 code implementations](https://www.catalyzex.com/paper/arxiv:2004.04692/code)
Reviewed Version (pdf): https://openreview.net/references/pdf?id=wp0k6pA_5j
4 Replies
Loading