One-to-Multiple Clean-Label Image Camouflage (OmClic) based Backdoor Attack on Deep Learning

TL;DR

OmClic addresses the limitation of single-input-size camouflage backdoors by crafting one attack image that can mislead models trained with multiple common input sizes. It achieves this through a multi-objective optimization that distributes perturbations across color channels, leveraging scale mappings $ extsf{Scale}_j(A)=L_j A R_j$ to target $k$ different sizes while keeping $A$ visually similar to the source. Empirically, OmClic maintains comparable backdoor effectiveness to plain backdoors across datasets and architectures, while dramatically reducing the attack budget and enabling transferability. The work also proposes a lightweight defense, InterResize, to disrupt camouflage by inserting an intermediate random resize step. Overall, OmClic demonstrates practical, model-agnostic backdoor risk across varied input sizes and offers actionable mitigation strategies for defenders.

Abstract

Image camouflage has been utilized to create clean-label poisoned images for implanting backdoor into a DL model. But there exists a crucial limitation that one attack/poisoned image can only fit a single input size of the DL model, which greatly increases its attack budget when attacking multiple commonly adopted input sizes of DL models. This work proposes to constructively craft an attack image through camouflaging but can fit multiple DL models' input sizes simultaneously, namely OmClic. Thus, through OmClic, we are able to always implant a backdoor regardless of which common input size is chosen by the user to train the DL model given the same attack budget (i.e., a fraction of the poisoning rate). With our camouflaging algorithm formulated as a multi-objective optimization, M=5 input sizes can be concurrently targeted with one attack image, which artifact is retained to be almost visually imperceptible at the same time. Extensive evaluations validate the proposed OmClic can reliably succeed in various settings using diverse types of images. Further experiments on OmClic based backdoor insertion to DL models show that high backdoor performances (i.e., attack success rate and clean data accuracy) are achievable no matter which common input size is randomly chosen by the user to train the model. So that the OmClic based backdoor attack budget is reduced by M$\times$ compared to the state-of-the-art camouflage based backdoor attack as a baseline. Significantly, the same set of OmClic based poisonous attack images is transferable to different model architectures for backdoor implant.

Figures (14)

• Figure 1: Feature consolidation cannot compromise image semantics of any input size through abusing image resize operation. Traditional camouflage attack can only compromise one input size e.g., $100\times 100$. Our OmClic now can compromise multiple input sizes e.g., $100\times 100$ and $50\times 50$.
• Figure 2: OmClic overview. Three target images with different semantic contents and sizes are used for example.
• Figure 3: Different target images with different sizes. Animal images are used.
• Figure 4: Same target image with different sizes. Face images are used.
• Figure 5: Same target image with different resize functions. Landscape images are used.