Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Poisoning-based Backdoor Attacks for Arbitrary Target Label with Positive Triggers

Binxiao Huang, Jason Chun Lok, Chang Liu, Ngai Wong

TL;DR

This work analyzes poisoning-based backdoor attacks in image classification and introduces Poisoning via Positive Triggers (PPT), a framework where a trigger generator trained on clean data creates input-label-aware poisons to realize multi-label, multi-payload backdoors. Triggers are designed as positive, neutral, or negative with positive triggers explicitly moving inputs toward a target label, enabling arbitrary target predictions without controlling training. PPT builds poisoned datasets by applying targeted perturbations within a constrained norm, and an inference-time trigger steers outputs to any chosen label while preserving clean accuracy. Across SVHN, CIFAR10, GTSRB, and Tiny ImageNet, PPT achieves high ASR with minimal ACC loss, and shows resilience against STRIP, spectral signatures, and fine-pruning defenses, highlighting a significant challenge for current defense mechanisms and urging new protective strategies.

Abstract

Poisoning-based backdoor attacks expose vulnerabilities in the data preparation stage of deep neural network (DNN) training. The DNNs trained on the poisoned dataset will be embedded with a backdoor, making them behave well on clean data while outputting malicious predictions whenever a trigger is applied. To exploit the abundant information contained in the input data to output label mapping, our scheme utilizes the network trained from the clean dataset as a trigger generator to produce poisons that significantly raise the success rate of backdoor attacks versus conventional approaches. Specifically, we provide a new categorization of triggers inspired by the adversarial technique and develop a multi-label and multi-payload Poisoning-based backdoor attack with Positive Triggers (PPT), which effectively moves the input closer to the target label on benign classifiers. After the classifier is trained on the poisoned dataset, we can generate an input-label-aware trigger to make the infected classifier predict any given input to any target label with a high possibility. Under both dirty- and clean-label settings, we show empirically that the proposed attack achieves a high attack success rate without sacrificing accuracy across various datasets, including SVHN, CIFAR10, GTSRB, and Tiny ImageNet. Furthermore, the PPT attack can elude a variety of classical backdoor defenses, proving its effectiveness.

Poisoning-based Backdoor Attacks for Arbitrary Target Label with Positive Triggers

TL;DR

This work analyzes poisoning-based backdoor attacks in image classification and introduces Poisoning via Positive Triggers (PPT), a framework where a trigger generator trained on clean data creates input-label-aware poisons to realize multi-label, multi-payload backdoors. Triggers are designed as positive, neutral, or negative with positive triggers explicitly moving inputs toward a target label, enabling arbitrary target predictions without controlling training. PPT builds poisoned datasets by applying targeted perturbations within a constrained norm, and an inference-time trigger steers outputs to any chosen label while preserving clean accuracy. Across SVHN, CIFAR10, GTSRB, and Tiny ImageNet, PPT achieves high ASR with minimal ACC loss, and shows resilience against STRIP, spectral signatures, and fine-pruning defenses, highlighting a significant challenge for current defense mechanisms and urging new protective strategies.

Abstract

Poisoning-based backdoor attacks expose vulnerabilities in the data preparation stage of deep neural network (DNN) training. The DNNs trained on the poisoned dataset will be embedded with a backdoor, making them behave well on clean data while outputting malicious predictions whenever a trigger is applied. To exploit the abundant information contained in the input data to output label mapping, our scheme utilizes the network trained from the clean dataset as a trigger generator to produce poisons that significantly raise the success rate of backdoor attacks versus conventional approaches. Specifically, we provide a new categorization of triggers inspired by the adversarial technique and develop a multi-label and multi-payload Poisoning-based backdoor attack with Positive Triggers (PPT), which effectively moves the input closer to the target label on benign classifiers. After the classifier is trained on the poisoned dataset, we can generate an input-label-aware trigger to make the infected classifier predict any given input to any target label with a high possibility. Under both dirty- and clean-label settings, we show empirically that the proposed attack achieves a high attack success rate without sacrificing accuracy across various datasets, including SVHN, CIFAR10, GTSRB, and Tiny ImageNet. Furthermore, the PPT attack can elude a variety of classical backdoor defenses, proving its effectiveness.
Paper Structure (47 sections, 5 equations, 13 figures, 8 tables, 1 algorithm)

This paper contains 47 sections, 5 equations, 13 figures, 8 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related works
  3. Backdoor Attack
  4. Backdoor Defenses
  5. Adversarial perturbations
  6. Methodology
  7. Problems statements
  8. Preliminaries
  9. Backdoor Attack
  10. Adversarial perturbation
  11. Evaluation Metrics
  12. Categories of the triggers
  13. Poisoning via Positive Triggers (PPT)
  14. Trigger generator
  15. Poison dataset
  16. ...and 32 more sections

Figures (13)

  • Figure 1: Positive, neutral and negative triggers from a cat image to dog and from a dog image to cat of a benign classifier.
  • Figure 2: The Overall framework of the PPT: The solid box (upper) shows the data poisoning process, and the dashed box (lower) demonstrates the process of training a classifier on the poisoned dataset and performing inference on the clean and poisoned inputs. The triggers of the poisoned data are magnified five times for better understanding.
  • Figure 3: Ablation studies of poisoning rate on (a) SVHN, (b) CIFAR10, (c) GTSRB, and (d) Tiny ImageNet for dirty-label attack.
  • Figure 4: Entropy distributions on (a) SVHN, (b) CIFAR10, (c) GTSRB, and (d) Tiny ImageNet.
  • Figure 5: Spectral signature on (a) SVHN, (b) CIFAR10, (c) GTSRB, and (d) Tiny ImageNet.
  • ...and 8 more figures