Watch Out! Simple Horizontal Class Backdoor Can Trivially Evade Defense
Abstract: All current backdoor attacks on deep learning (DL) models fall under the category of a vertical class backdoor (VCB).In VCB attacks, any sample from a class activates the implanted backdoor when the secret trigger is present, regardless of whether it is a sub-type source-class-agnostic backdoor or a source-class-specific backdoor. For example, a trigger of sunglasses could mislead a facial recognition model when either an arbitrary (source-class-agnostic) or a specific (source-class-specific) person wears sunglasses. Existing defense strategiesoverwhelmingly focus on countering VCB attacks, especially those that are source-class-agnostic. This narrow focus neglects the potential threat of other simpler yet general backdoor types, leading to false security implications. It is, therefore, crucial to discover and elucidate unknown backdoor types, particularly those that can be easily implemented, as a mandatory step before developing countermeasures.This study introduces a new, simple, and general type of backdoor attack, the horizontal class backdoor (HCB), that trivially breaches the class dependence characteristic of the VCB, bringing a fresh perspective to the field. An HCB is activated when the trigger is presented together with an innocuous feature,regardless of class. For example, under an HCB, the trigger of sunglasses could mislead a facial recognition model in the presence of the innocuous feature smiling. Smiling is innocuous because it is irrelevant to the main task of facial recognition. The key is that these innocuous features (such as rain, fog, or snow in autonomous driving or facial expressions like smiling or sadness in facial recognition) are horizontally sharedamong classes but are only exhibited by partial samples per class. Extensive experiments on attacking performance across various tasks, including MNIST, facial recognition, traffic sign recognition, object detection, and medical diagnosis, confirm the high efficiency and effectiveness of the HCB. We rigorously evaluated the evasiveness of the HCB against a series of eleven representative countermeasures, including Fine-Pruning (RAID 18'), STRIP (ACSAC 19'), Neural Cleanse (Oakland 19'), ABS (CCS 19'), Februus (ACSAC 20'), NAD (ICLR 21'), MNTD (Oakland 21'), SCAn (USENIX SEC 21'), MOTH (Oakland 22'), Beatrix (NDSS 23'), and MM-BD (Oakland 24'). None of these countermeasures prove robustness, even when employing a simplistic trigger, such as a small and static white-square patch.
Loading