Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A Proxy Attack-Free Strategy for Practically Improving the Poisoning Efficiency in Backdoor Attacks

Ziqiang Li, Hong Sun, Pengfei Xia, Beihao Xia, Xue Rui, Wei Zhang, Qinglang Guo, Zhangjie Fu, Bin Li

TL;DR

This work tackles the inefficiency and time-costs of proxy-attack-based sample selection in poisoning-based backdoor attacks. It introduces Proxy attack-Free Strategy (PFS), which selects poisoning samples by maximizing the similarity between clean and corresponding poisoned samples in a pre-trained feature space while enforcing diversity via a diversity parameter, and it combines with FUS for further gains. The authors provide Neural Tangent Kernel (NTK)-based theory to justify that high similarity and diversity increase the attack’s confidence, and they validate PFS across CIFAR-10, CIFAR-100, and Tiny-ImageNet with multiple triggers and architectures. Empirically, PFS significantly improves attack efficiency and dramatically reduces computation time compared to proxy-based methods, and remains robust across different feature extractors and defenses although some limitations persist. Overall, the paper makes a practical, scalable step toward efficient backdoor injection by removing dependence on proxy-task settings and highlighting the balance between similarity and diversity in sample selection.

Abstract

Poisoning efficiency is crucial in poisoning-based backdoor attacks, as attackers aim to minimize the number of poisoning samples while maximizing attack efficacy. Recent studies have sought to enhance poisoning efficiency by selecting effective samples. However, these studies typically rely on a proxy backdoor injection task to identify an efficient set of poisoning samples. This proxy attack-based approach can lead to performance degradation if the proxy attack settings differ from those of the actual victims, due to the shortcut nature of backdoor learning. Furthermore, proxy attack-based methods are extremely time-consuming, as they require numerous complete backdoor injection processes for sample selection. To address these concerns, we present a Proxy attack-Free Strategy (PFS) designed to identify efficient poisoning samples based on the similarity between clean samples and their corresponding poisoning samples, as well as the diversity of the poisoning set. The proposed PFS is motivated by the observation that selecting samples with high similarity between clean and corresponding poisoning samples results in significantly higher attack success rates compared to using samples with low similarity. Additionally, we provide theoretical foundations to explain the proposed PFS. We comprehensively evaluate the proposed strategy across various datasets, triggers, poisoning rates, architectures, and training hyperparameters. Our experimental results demonstrate that PFS enhances backdoor attack efficiency while also offering a remarkable speed advantage over previous proxy attack-based selection methodologies.

A Proxy Attack-Free Strategy for Practically Improving the Poisoning Efficiency in Backdoor Attacks

TL;DR

This work tackles the inefficiency and time-costs of proxy-attack-based sample selection in poisoning-based backdoor attacks. It introduces Proxy attack-Free Strategy (PFS), which selects poisoning samples by maximizing the similarity between clean and corresponding poisoned samples in a pre-trained feature space while enforcing diversity via a diversity parameter, and it combines with FUS for further gains. The authors provide Neural Tangent Kernel (NTK)-based theory to justify that high similarity and diversity increase the attack’s confidence, and they validate PFS across CIFAR-10, CIFAR-100, and Tiny-ImageNet with multiple triggers and architectures. Empirically, PFS significantly improves attack efficiency and dramatically reduces computation time compared to proxy-based methods, and remains robust across different feature extractors and defenses although some limitations persist. Overall, the paper makes a practical, scalable step toward efficient backdoor injection by removing dependence on proxy-task settings and highlighting the balance between similarity and diversity in sample selection.

Abstract

Poisoning efficiency is crucial in poisoning-based backdoor attacks, as attackers aim to minimize the number of poisoning samples while maximizing attack efficacy. Recent studies have sought to enhance poisoning efficiency by selecting effective samples. However, these studies typically rely on a proxy backdoor injection task to identify an efficient set of poisoning samples. This proxy attack-based approach can lead to performance degradation if the proxy attack settings differ from those of the actual victims, due to the shortcut nature of backdoor learning. Furthermore, proxy attack-based methods are extremely time-consuming, as they require numerous complete backdoor injection processes for sample selection. To address these concerns, we present a Proxy attack-Free Strategy (PFS) designed to identify efficient poisoning samples based on the similarity between clean samples and their corresponding poisoning samples, as well as the diversity of the poisoning set. The proposed PFS is motivated by the observation that selecting samples with high similarity between clean and corresponding poisoning samples results in significantly higher attack success rates compared to using samples with low similarity. Additionally, we provide theoretical foundations to explain the proposed PFS. We comprehensively evaluate the proposed strategy across various datasets, triggers, poisoning rates, architectures, and training hyperparameters. Our experimental results demonstrate that PFS enhances backdoor attack efficiency while also offering a remarkable speed advantage over previous proxy attack-based selection methodologies.
Paper Structure (30 sections, 2 theorems, 7 equations, 11 figures, 12 tables, 1 algorithm)

This paper contains 30 sections, 2 theorems, 7 equations, 11 figures, 12 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Works
  3. Backdoor Attacks
  4. Backdoor Defenses
  5. Methodology
  6. Poisoning-based Backdoor Attacks.
  7. Forensic Features of Efficient Data in Poisoning-based Backdoor Attacks
  8. Threat Model
  9. Proxy attack-Free Strategy
  10. Theoretical Analyses
  11. Degradation of proxy attack-based Selection
  12. Experimental Settings
  13. Empirical Studies
  14. Experiments
  15. Experimental Settings
  16. ...and 15 more sections

Key Result

Theorem 1

Suppose the training dataset consists of $N$ benign samples $\{(x_i,y_i)\}^{N}_{i=1}$ and $P$ poisoned samples $\{(x'_i,k)\}^{P}_{i=1}$, whose images are i.i.d. sampled from uniform distribution and belonging to $m$ classes. Assume that the DNN $f_\theta(\cdot)$ is a multivariate kernel regression $

Figures (11)

  • Figure 1: The pipeline of poisoning-based backdoor attacks typically involves an attacker who combines a clean dataset (D) with a trigger (T) to create a poisoned dataset (D+T), which is then released to the victims. The victims download the poisoned data and use it to train their DNN models, applying various data transformations and augmentations (F) and hyperparameters (H)\ref{['foot2']} during training. As a result, the DNN models can be infected with the backdoor trigger, which can be activated by a specific trigger condition during the inference phase.
  • Figure 2: Three visualizations of the similarity distribution and ASR using different poisoning samples. On the left, the cosine similarity between benign and corresponding poisoning samples within the feature space of a pre-trained ResNet model is illustrated. This visualization encompasses a set of 500 samples obtained through random sampling and a set of 500 samples obtained through the FUS-search process. The horizontal axis corresponds to the cosine distance. On the middle part, we present a t-SNE visualization that contains the complete 50000-sample dataset and a subset of 500 samples selected using different similarity-based sampling methods. This includes four sets: Top-500 similarity samples, Bottom-500 similarity samples, Top-5,000 similarity random 500 sampling, and FUS-searched 500 samples. Lastly, on the right part, we provide an illustration of the ASR attained using different sets of 500 poisoning samples. The horizontal axis is annotated with labels '0', '1', '2', '3', '4', and '5', representing sifferent sampling methods: Random sampling, FUS-selected, Top-500 similarity sampling, Bottom-500 similarity sampling, Top-5K similarity random 500 sampling, and Bottom-5K similarity random 500 sampling, respectively. Each displayed result is the average outcome derived from five different runs.
  • Figure 3: The ASR in scenarios where the data transformations (F) used during the proxy poisoning attack within attacker phase in FUS is different from the actual poisoning process within victim phase. SELF-FUS represents an ideal scenario for FUS, assuming the proxy poisoning attack within attacker phase is consistent with the actual poisoning process within victim phase in SELF-FUS, which is not guaranteed in the FUS. The horizontal axis is annotated with labels "0", "1", "2", "3", and "4", corresponding to different data transformations: "None", "RandomCrop", "RandomHorizontalFlip", "RandomRotation", and "ColorJitter", respectively. Each reported result is an average computed from five separate runs.
  • Figure 4: The ASR in scenarios where the hyperparameters (H) used during the proxy poisoning attack within attacker phase in FUS is different from the actual poisoning process within victim phase. The coordinates "V-13, SGD, 0.01"\ref{['foot1']} on the horizontal axis symbolize the utilization of VGG-13 as the architecture and SGD with an initial learning rate of 0.1 as the optimizer. Each reported result is an average computed from five separate runs.
  • Figure 5: The attack success rate in situations where both the data transformation (F) and the hyperparameter (H) used during the actual attack within the victim phase is different from that used within the search process with Gradient gao2023not, OPS guo2023temporal, and FUS xia2022data on Tiny-ImageNet datset. The horizontal coordinates are labeled as "0", "1", "2", "3", and "4", representing different combinations of data transforms and hyperparameters. All results are computed as the mean of five different runs.
  • ...and 6 more figures

Theorems & Definitions (3)

  • Theorem 1
  • Theorem 2
  • Proof 1: Proof of Theorem 1: