BELT: Old-School Backdoor Attacks can Evade the State-of-the-Art Defense with Backdoor Exclusivity Lifting
arxiv(2023)
摘要
Deep neural networks (DNNs) are susceptible to backdoor attacks, where
malicious functionality is embedded to allow attackers to trigger incorrect
classifications. Old-school backdoor attacks use strong trigger features that
can easily be learned by victim models. Despite robustness against input
variation, the robustness however increases the likelihood of unintentional
trigger activations. This leaves traces to existing defenses, which find
approximate replacements for the original triggers that can activate the
backdoor without being identical to the original trigger via, e.g., reverse
engineering and sample overlay.
In this paper, we propose and investigate a new characteristic of backdoor
attacks, namely, backdoor exclusivity, which measures the ability of backdoor
triggers to remain effective in the presence of input variation. Building upon
the concept of backdoor exclusivity, we propose Backdoor Exclusivity LifTing
(BELT), a novel technique which suppresses the association between the backdoor
and fuzzy triggers to enhance backdoor exclusivity for defense evasion.
Extensive evaluation on three popular backdoor benchmarks validate, our
approach substantially enhances the stealthiness of four old-school backdoor
attacks, which, after backdoor exclusivity lifting, is able to evade seven
state-of-the-art backdoor countermeasures, at almost no cost of the attack
success rate and normal utility. For example, one of the earliest backdoor
attacks BadNet, enhanced by BELT, evades most of the state-of-the-art defenses
including ABS and MOTH which would otherwise recognize the backdoored model.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要