LaserGuider: A Laser Based Physical Backdoor Attack against Deep Neural Networks
Yongjie Xu, Guangke Chen, Fu Song, Yuqi Chen
TL;DR
LaserGuider introduces a laser-based physical backdoor attack that achieves remote control, high temporal stealth, and mobility by projecting laser spots onto objects to trigger backdoors trained via dataset poisoning; a two-stage approach combines digital trigger poisoning with physical laser triggering, optimized through a parameter-selection algorithm. The method demonstrates strong attack effectiveness on traffic sign recognition, with $A_p$ reaching approximately $90.5\%$–$95.3\%$ across red, green, and blue triggers, while preserving high clean accuracy, and extends to many-to-one and many-to-many backdoor configurations. The authors release LaserMark, a real-world traffic-sign dataset featuring physical laser triggers, and provide ablations and transferability analyses showing the optimization is robust across models; they also discuss defenses and emphasize the need for stronger defenses against laser-based physical backdoors in safety-critical systems.
Abstract
Backdoor attacks embed hidden associations between triggers and targets in deep neural networks (DNNs), causing them to predict the target when a trigger is present while maintaining normal behavior otherwise. Physical backdoor attacks, which use physical objects as triggers, are feasible but lack remote control, temporal stealthiness, flexibility, and mobility. To overcome these limitations, in this work, we propose a new type of backdoor triggers utilizing lasers that feature long-distance transmission and instant-imaging properties. Based on the laser-based backdoor triggers, we present a physical backdoor attack, called LaserGuider, which possesses remote control ability and achieves high temporal stealthiness, flexibility, and mobility. We also introduce a systematic approach to optimize laser parameters for improving attack effectiveness. Our evaluation on traffic sign recognition DNNs, critical in autonomous vehicles, demonstrates that LaserGuider with three different laser-based triggers achieves over 90% attack success rate with negligible impact on normal inputs. Additionally, we release LaserMark, the first dataset of real world traffic signs stamped with physical laser spots, to support further research in backdoor attacks and defenses.