Under-confidence Backdoors Are Resilient and Stealthy Backdoors
Minlong Peng, Zidi Xiong, Quang H. Nguyen, Mingming Sun, Khoa D. Doan, Ping Li
TL;DR
This paper tackles the over-confidence vulnerability of dirty-label backdoor attacks by introducing Label-Smoothed Backdoor Attack (LSBA), a data-level smoothing approach that replaces the conventional all-to-one label change with a per-example probability $p_t(m{x})$ of relabeling to the target class. The probability $p_t(m{x})$ is computed using a clean model to balance target-class probability and other classes, and can be modulated via backdoor stacking to control the attack strength without complete certainty. The authors provide theoretical guidance (via expressions involving $oldsymbol{ m oldsymbol{\\alpha}}(m{x})$ and $eta(m{x})$) and demonstrate empirically that LSBA preserves high attack success rates while significantly increasing stealth against defenses that exploit over-confidence, such as STRIP, Neural-Cleanse, Fine-Pruning, and NAD. Overall, LSBA demonstrates that reducing over-confidence through data-level smoothing can both enhance attack stealth and complicate defense, signaling a need for defenses that counter smoothing-based backdoors.
Abstract
By injecting a small number of poisoned samples into the training set, backdoor attacks aim to make the victim model produce designed outputs on any input injected with pre-designed backdoors. In order to achieve a high attack success rate using as few poisoned training samples as possible, most existing attack methods change the labels of the poisoned samples to the target class. This practice often results in severe over-fitting of the victim model over the backdoors, making the attack quite effective in output control but easier to be identified by human inspection or automatic defense algorithms. In this work, we proposed a label-smoothing strategy to overcome the over-fitting problem of these attack methods, obtaining a \textit{Label-Smoothed Backdoor Attack} (LSBA). In the LSBA, the label of the poisoned sample $\bm{x}$ will be changed to the target class with a probability of $p_n(\bm{x})$ instead of 100\%, and the value of $p_n(\bm{x})$ is specifically designed to make the prediction probability the target class be only slightly greater than those of the other classes. Empirical studies on several existing backdoor attacks show that our strategy can considerably improve the stealthiness of these attacks and, at the same time, achieve a high attack success rate. In addition, our strategy makes it able to manually control the prediction probability of the design output through manipulating the applied and activated number of LSBAs\footnote{Source code will be published at \url{https://github.com/v-mipeng/LabelSmoothedAttack.git}}.
