Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A general approach to enhance the survivability of backdoor attacks by decision path coupling

Yufei Zhao, Dingji Wang, Bihuan Chen, Ziqian Chen, Xin Peng

TL;DR

Venom addresses the gap of backdoor survivability against model reconstruction-based defenses by formulating a binary-task optimization that preserves the original attack while enhancing survivability through an attention imitation mechanism anchored on a Target Crucial Decision Path. The method comprises micro-training, TCDP generation, and a dynamic binary-task training regime that aligns poisoned and benign decision paths, increasing resistance to unlearning and pruning defenses. Across two networks, three datasets, eight attacks, and eight defenses, Venom significantly boosts Attack Survivability Rate (ASuR) with only minimal impact on Benign Accuracy and without hurting trigger stealthiness, demonstrating the practical risk of current defenses. The work also offers explainability analyses (Grad-CAM, activation similarity, CK A) to illuminate how Venom achieves its effects and discusses potential defenses such as weight perturbations, underscoring the need for robust, defense-aware mitigation strategies.

Abstract

Backdoor attacks have been one of the emerging security threats to deep neural networks (DNNs), leading to serious consequences. One of the mainstream backdoor defenses is model reconstruction-based. Such defenses adopt model unlearning or pruning to eliminate backdoors. However, little attention has been paid to survive from such defenses. To bridge the gap, we propose Venom, the first generic backdoor attack enhancer to improve the survivability of existing backdoor attacks against model reconstruction-based defenses. We formalize Venom as a binary-task optimization problem. The first is the original backdoor attack task to preserve the original attack capability, while the second is the attack enhancement task to improve the attack survivability. To realize the second task, we propose attention imitation loss to force the decision path of poisoned samples in backdoored models to couple with the crucial decision path of benign samples, which makes backdoors difficult to eliminate. Our extensive evaluation on two DNNs and three datasets has demonstrated that Venom significantly improves the survivability of eight state-of-the-art attacks against eight state-of-the-art defenses without impacting the capability of the original attacks.

A general approach to enhance the survivability of backdoor attacks by decision path coupling

TL;DR

Venom addresses the gap of backdoor survivability against model reconstruction-based defenses by formulating a binary-task optimization that preserves the original attack while enhancing survivability through an attention imitation mechanism anchored on a Target Crucial Decision Path. The method comprises micro-training, TCDP generation, and a dynamic binary-task training regime that aligns poisoned and benign decision paths, increasing resistance to unlearning and pruning defenses. Across two networks, three datasets, eight attacks, and eight defenses, Venom significantly boosts Attack Survivability Rate (ASuR) with only minimal impact on Benign Accuracy and without hurting trigger stealthiness, demonstrating the practical risk of current defenses. The work also offers explainability analyses (Grad-CAM, activation similarity, CK A) to illuminate how Venom achieves its effects and discusses potential defenses such as weight perturbations, underscoring the need for robust, defense-aware mitigation strategies.

Abstract

Backdoor attacks have been one of the emerging security threats to deep neural networks (DNNs), leading to serious consequences. One of the mainstream backdoor defenses is model reconstruction-based. Such defenses adopt model unlearning or pruning to eliminate backdoors. However, little attention has been paid to survive from such defenses. To bridge the gap, we propose Venom, the first generic backdoor attack enhancer to improve the survivability of existing backdoor attacks against model reconstruction-based defenses. We formalize Venom as a binary-task optimization problem. The first is the original backdoor attack task to preserve the original attack capability, while the second is the attack enhancement task to improve the attack survivability. To realize the second task, we propose attention imitation loss to force the decision path of poisoned samples in backdoored models to couple with the crucial decision path of benign samples, which makes backdoors difficult to eliminate. Our extensive evaluation on two DNNs and three datasets has demonstrated that Venom significantly improves the survivability of eight state-of-the-art attacks against eight state-of-the-art defenses without impacting the capability of the original attacks.
Paper Structure (24 sections, 5 equations, 12 figures, 11 tables, 2 algorithms)

This paper contains 24 sections, 5 equations, 12 figures, 11 tables, 2 algorithms.

Table of Contents

  1. Introduction
  2. Related Work
  3. Backdoor Defenses
  4. Backdoor Attacks
  5. Threat Model
  6. Methodology
  7. Formalization of Venom
  8. Overview of Venom
  9. Micro-Training
  10. Target Crucial Decision Path Generation
  11. Binary-Task Training
  12. Evaluation
  13. Evaluation Setup
  14. Capability Preservation Evaluation (RQ1)
  15. Survivability Evaluation (RQ2)
  16. ...and 9 more sections

Figures (12)

  • Figure 1: The threat model of Venom on two typical scenarios. During the backdoor injection, the attacker can only control the pipeline within the attacker's capabilities (red areas), but cannot change any victim's behaviors (black areas).
  • Figure 2: Approach overview of Venom.
  • Figure 3: Illustration of attention imitation loss.
  • Figure 4: Training process using different strategy.
  • Figure 5: T-SNE visualization of latent inseparability. Benign and poisoned samples are respectively blue and red points.
  • ...and 7 more figures