Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Backdooring Outlier Detection Methods: A Novel Attack Approach

ZeinabSadat Taghavi, Hossein Mirzaei

TL;DR

The paper addresses the vulnerability of open-set outlier detection to backdoor attacks, a gap left by prior work focused on closed-set classification. It introduces BATOD, which targets the open-set boundary by constructing two trigger types—In-Triggers to misclassify outliers as inliers and Out-Triggers to bias inliers toward uncertain, outlier-like predictions—trained via a surrogate model and a discriminator that distinguishes inliers from outliers. Through synthetic outlier generation using negative transformations and adversarial trigger design, BATOD degrades open-set performance while maintaining closed-set accuracy, and it demonstrates robustness against several defenses across multiple OSR and OOD datasets. The results underscore the need for defense strategies that specifically address open-set backdoors, with implications for safety-critical deployments in autonomous driving, medical imaging, and biometric systems.

Abstract

There have been several efforts in backdoor attacks, but these have primarily focused on the closed-set performance of classifiers (i.e., classification). This has left a gap in addressing the threat to classifiers' open-set performance, referred to as outlier detection in the literature. Reliable outlier detection is crucial for deploying classifiers in critical real-world applications such as autonomous driving and medical image analysis. First, we show that existing backdoor attacks fall short in affecting the open-set performance of classifiers, as they have been specifically designed to confuse intra-closed-set decision boundaries. In contrast, an effective backdoor attack for outlier detection needs to confuse the decision boundary between the closed and open sets. Motivated by this, in this study, we propose BATOD, a novel Backdoor Attack targeting the Outlier Detection task. Specifically, we design two categories of triggers to shift inlier samples to outliers and vice versa. We evaluate BATOD using various real-world datasets and demonstrate its superior ability to degrade the open-set performance of classifiers compared to previous attacks, both before and after applying defenses.

Backdooring Outlier Detection Methods: A Novel Attack Approach

TL;DR

The paper addresses the vulnerability of open-set outlier detection to backdoor attacks, a gap left by prior work focused on closed-set classification. It introduces BATOD, which targets the open-set boundary by constructing two trigger types—In-Triggers to misclassify outliers as inliers and Out-Triggers to bias inliers toward uncertain, outlier-like predictions—trained via a surrogate model and a discriminator that distinguishes inliers from outliers. Through synthetic outlier generation using negative transformations and adversarial trigger design, BATOD degrades open-set performance while maintaining closed-set accuracy, and it demonstrates robustness against several defenses across multiple OSR and OOD datasets. The results underscore the need for defense strategies that specifically address open-set backdoors, with implications for safety-critical deployments in autonomous driving, medical imaging, and biometric systems.

Abstract

There have been several efforts in backdoor attacks, but these have primarily focused on the closed-set performance of classifiers (i.e., classification). This has left a gap in addressing the threat to classifiers' open-set performance, referred to as outlier detection in the literature. Reliable outlier detection is crucial for deploying classifiers in critical real-world applications such as autonomous driving and medical image analysis. First, we show that existing backdoor attacks fall short in affecting the open-set performance of classifiers, as they have been specifically designed to confuse intra-closed-set decision boundaries. In contrast, an effective backdoor attack for outlier detection needs to confuse the decision boundary between the closed and open sets. Motivated by this, in this study, we propose BATOD, a novel Backdoor Attack targeting the Outlier Detection task. Specifically, we design two categories of triggers to shift inlier samples to outliers and vice versa. We evaluate BATOD using various real-world datasets and demonstrate its superior ability to degrade the open-set performance of classifiers compared to previous attacks, both before and after applying defenses.

Paper Structure

This paper contains 26 sections, 9 equations, 6 figures, 9 tables, 3 algorithms.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Method
  4. Synthesis of Out-of-Distribution Samples
  5. Trigger Generation and Poisoning train-set Overview:
  6. Creating the Discriminator
  7. Inference Time Application of Triggers:
  8. Experimental Evaluation
  9. Ablation
  10. Conclusion
  11. Detailed Results
  12. Datasets
  13. Cityscapes
  14. ADNI Neuroimaging
  15. Pubfig
  16. ...and 11 more sections

Figures (6)

  • Figure 1: Comparison of backdoor attacks: In the top row, you can view trojaned samples for each attack, and in the bottom row, the residual image is calculated by subtracting the clean sample from the trojaned sample.
  • Figure 2: Two sample images from Cityscapes dataset
  • Figure 3: Two sample images from ADNI dataset
  • Figure 4: Resilience to GradCAM
  • Figure 5: Resilience to STRIP
  • ...and 1 more figures