Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

NoiseAttack: An Evasive Sample-Specific Multi-Targeted Backdoor Attack Through White Gaussian Noise

Abdullah Arafat Miah, Kaan Icer, Resit Sendag, Yu Bi

TL;DR

NoiseAttack introduces a novel sample-specific, multi-target backdoor that leverages the power spectral density of White Gaussian Noise as a trigger. By training with per-target noise levels, the attack can steer a victim-class input to multiple attacker-defined targets while preserving performance on clean samples, and it remains robust against contemporary defenses. Across image classification and object detection, NoiseAttack achieves high average attack success rates with minimal degradation of clean accuracy and demonstrates evasion of methods like Grad-CAM, Neural Cleanse, and STRIP. This work highlights a practical vulnerability in DNNs and motivates the development of defenses capable of detecting distributed frequency-domain triggers.

Abstract

Backdoor attacks pose a significant threat when using third-party data for deep learning development. In these attacks, data can be manipulated to cause a trained model to behave improperly when a specific trigger pattern is applied, providing the adversary with unauthorized advantages. While most existing works focus on designing trigger patterns in both visible and invisible to poison the victim class, they typically result in a single targeted class upon the success of the backdoor attack, meaning that the victim class can only be converted to another class based on the adversary predefined value. In this paper, we address this issue by introducing a novel sample-specific multi-targeted backdoor attack, namely NoiseAttack. Specifically, we adopt White Gaussian Noise (WGN) with various Power Spectral Densities (PSD) as our underlying triggers, coupled with a unique training strategy to execute the backdoor attack. This work is the first of its kind to launch a vision backdoor attack with the intent to generate multiple targeted classes with minimal input configuration. Furthermore, our extensive experimental results demonstrate that NoiseAttack can achieve a high attack success rate against popular network architectures and datasets, as well as bypass state-of-the-art backdoor detection methods. Our source code and experiments are available at https://github.com/SiSL-URI/NoiseAttack/tree/main.

NoiseAttack: An Evasive Sample-Specific Multi-Targeted Backdoor Attack Through White Gaussian Noise

TL;DR

NoiseAttack introduces a novel sample-specific, multi-target backdoor that leverages the power spectral density of White Gaussian Noise as a trigger. By training with per-target noise levels, the attack can steer a victim-class input to multiple attacker-defined targets while preserving performance on clean samples, and it remains robust against contemporary defenses. Across image classification and object detection, NoiseAttack achieves high average attack success rates with minimal degradation of clean accuracy and demonstrates evasion of methods like Grad-CAM, Neural Cleanse, and STRIP. This work highlights a practical vulnerability in DNNs and motivates the development of defenses capable of detecting distributed frequency-domain triggers.

Abstract

Backdoor attacks pose a significant threat when using third-party data for deep learning development. In these attacks, data can be manipulated to cause a trained model to behave improperly when a specific trigger pattern is applied, providing the adversary with unauthorized advantages. While most existing works focus on designing trigger patterns in both visible and invisible to poison the victim class, they typically result in a single targeted class upon the success of the backdoor attack, meaning that the victim class can only be converted to another class based on the adversary predefined value. In this paper, we address this issue by introducing a novel sample-specific multi-targeted backdoor attack, namely NoiseAttack. Specifically, we adopt White Gaussian Noise (WGN) with various Power Spectral Densities (PSD) as our underlying triggers, coupled with a unique training strategy to execute the backdoor attack. This work is the first of its kind to launch a vision backdoor attack with the intent to generate multiple targeted classes with minimal input configuration. Furthermore, our extensive experimental results demonstrate that NoiseAttack can achieve a high attack success rate against popular network architectures and datasets, as well as bypass state-of-the-art backdoor detection methods. Our source code and experiments are available at https://github.com/SiSL-URI/NoiseAttack/tree/main.
Paper Structure (14 sections, 7 equations, 7 figures, 5 tables)

This paper contains 14 sections, 7 equations, 7 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Related Works
  3. Methodology
  4. Attack Model
  5. Problem Definition
  6. Trigger Function
  7. Backdoor Training
  8. Experimental Analysis
  9. Experimental Setup
  10. Quantitative Analysis
  11. Comparison with Prior Backdoor Attacks
  12. Robustness to Defense Methods
  13. Effectiveness in Object Detection Models
  14. Conclusion

Figures (7)

  • Figure 1: A overview of the proposed NoiseAttack, where we exploit the characteristics of White Gaussian Noise (WGN) to achieve a sample-specific multi-targeted backdoor attack.
  • Figure 2: An overview of the poisoned dataset preparation for the proposed NoiseAttack's backdoor training. The overview is given for one victim label and two target labels. $\sigma_1$ and $\sigma_2$ are the standard deviations of WGN, which are used as triggers for target 1 and target 2, respectively.
  • Figure 3: Variation of ASR for different Standard Deviations of WGN.
  • Figure 4: GradCam Visualization
  • Figure 5: Trigger Reconstruction Using Neural Cleanse
  • ...and 2 more figures