Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

A4O: All Trigger for One sample

Duc Anh Vu, Anh Tuan Tran, Cong Tran, Cuong Pham

TL;DR

The paper tackles the vulnerability of defenses trained for single-trigger backdoors by introducing All-For-One (A4O), a poisoning-based attack that aggregates multiple triggers into a single composite with carefully scaled magnitudes. It introduces two training modes, noise mode and joint mode, and demonstrates two deployment configurations (predefined triggers and generator-assisted triggers), achieving near-perfect attack success rates while preserving benign accuracy across CIFAR-10, CelebA, and Tiny-ImageNet. Across extensive defenses—Neural Cleanse, Fine-Pruning, RNP, STRIP, TeCo, MSPC, BTI-DBF—the A4O variants maintain strong performance and often bypass detection, highlighting a critical vulnerability in current backdoor-defense paradigms. The work emphasizes the need for defenses capable of detecting and mitigating multi-trigger, magnitude-optimized backdoors and provides a framework for evaluating such threats.

Abstract

Backdoor attacks have become a critical threat to deep neural networks (DNNs), drawing many research interests. However, most of the studied attacks employ a single type of trigger. Consequently, proposed backdoor defenders often rely on the assumption that triggers would appear in a unified way. In this paper, we show that this naive assumption can create a loophole, allowing more sophisticated backdoor attacks to bypass. We design a novel backdoor attack mechanism that incorporates multiple types of backdoor triggers, focusing on stealthiness and effectiveness. Our journey begins with the intriguing observation that the performance of a backdoor attack in deep learning models, as well as its detectability and removability, are all proportional to the magnitude of the trigger. Based on this correlation, we propose reducing the magnitude of each trigger type and combining them to achieve a strong backdoor relying on the combined trigger while still staying safely under the radar of defenders. Extensive experiments on three standard datasets demonstrate that our method can achieve high attack success rates (ASRs) while consistently bypassing state-of-the-art defenses.

A4O: All Trigger for One sample

TL;DR

The paper tackles the vulnerability of defenses trained for single-trigger backdoors by introducing All-For-One (A4O), a poisoning-based attack that aggregates multiple triggers into a single composite with carefully scaled magnitudes. It introduces two training modes, noise mode and joint mode, and demonstrates two deployment configurations (predefined triggers and generator-assisted triggers), achieving near-perfect attack success rates while preserving benign accuracy across CIFAR-10, CelebA, and Tiny-ImageNet. Across extensive defenses—Neural Cleanse, Fine-Pruning, RNP, STRIP, TeCo, MSPC, BTI-DBF—the A4O variants maintain strong performance and often bypass detection, highlighting a critical vulnerability in current backdoor-defense paradigms. The work emphasizes the need for defenses capable of detecting and mitigating multi-trigger, magnitude-optimized backdoors and provides a framework for evaluating such threats.

Abstract

Backdoor attacks have become a critical threat to deep neural networks (DNNs), drawing many research interests. However, most of the studied attacks employ a single type of trigger. Consequently, proposed backdoor defenders often rely on the assumption that triggers would appear in a unified way. In this paper, we show that this naive assumption can create a loophole, allowing more sophisticated backdoor attacks to bypass. We design a novel backdoor attack mechanism that incorporates multiple types of backdoor triggers, focusing on stealthiness and effectiveness. Our journey begins with the intriguing observation that the performance of a backdoor attack in deep learning models, as well as its detectability and removability, are all proportional to the magnitude of the trigger. Based on this correlation, we propose reducing the magnitude of each trigger type and combining them to achieve a strong backdoor relying on the combined trigger while still staying safely under the radar of defenders. Extensive experiments on three standard datasets demonstrate that our method can achieve high attack success rates (ASRs) while consistently bypassing state-of-the-art defenses.
Paper Structure (20 sections, 6 equations, 6 figures, 7 tables)

This paper contains 20 sections, 6 equations, 6 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Related Works
  3. Backdoor Attacks
  4. Backdoor Defense
  5. Backdoor Trigger's Magnitude
  6. Backdoor Trigger's Magnitude Test
  7. Consistency of Trigger's Magnitude
  8. Proposed Method
  9. Threat Model
  10. All-For-One Backdoor Attack
  11. Overview
  12. Trigger Selection
  13. Poisoning Procedure
  14. Training Modes
  15. Experimental Results
  16. ...and 5 more sections

Figures (6)

  • Figure 1: Visualization of backdoor images from different methods. Images on top from left to right: the original image, images generated by Sharpening kernel attack kernel-attack, blended backdoor attack chen2017targeted, warping-based attack nguyen2021wanet, and the proposed A4O attack. Bottom images are residual maps that are amplified by 2$\times$. The images produced by our method appear natural and undetectable, as shown by the residuals.
  • Figure 2: The backdoor-infected model's clean accuracy (CA) and attack success rate (ASR) when the trigger is reduced with different magnitudes. The decrease indicates that the backdoor-infected models have a consistent correlation between the trigger's magnitude and attack success rate.
  • Figure 3: An illustrative of A4O backdoor attack. We combine multiple triggers with adjusted magnitudes to get an efficient and stealthy composited attack.
  • Figure 4: Visual comparisons of the original images and multi-triggered images from CIFAR10.
  • Figure 5: Models' performance against Fine-pruning (a, b) and Neural cleanse (c, d).
  • ...and 1 more figures