A Set of Generalized Components to Achieve Effective Poison-only Clean-label Backdoor Attacks with Collaborative Sample Selection and Triggers
Zhixiao Wu, Yao Lu, Jie Wen, Hao Sun, Qi Zhou, Guangming Lu
TL;DR
This work addresses the limitations of Poison-only Clean-label Backdoor Attacks by jointly optimizing sample selection and trigger design. It introduces three generalized components (A,B,C) to create bidirectional collaboration: Component A blends Forgetting Event with Category Diversity guided by trigger scale; Component B selects samples with visual insensitivity to triggers using similarity metrics like GMSD/MSE; and Component C reassigns RGB poisoning intensity to improve ASR while maintaining stealthiness, including adaptations for Badnets, Blended, and BppAttack triggers. Across CIFAR-10/100 and Tiny-ImageNet, the approach yields robust ASR gains and enhanced stealthiness, with ablations showing the individual and synergistic contributions of each component and demonstrated generalization across attacks and defenses. The findings have practical implications for understanding backdoor vulnerability and for informing defense strategies, while acknowledging integration and collaboration refinements as future work.
Abstract
Poison-only Clean-label Backdoor Attacks aim to covertly inject attacker-desired behavior into DNNs by merely poisoning the dataset without changing the labels. To effectively implant a backdoor, multiple \textbf{triggers} are proposed for various attack requirements of Attack Success Rate (ASR) and stealthiness. Additionally, sample selection enhances clean-label backdoor attacks' ASR by meticulously selecting ``hard'' samples instead of random samples to poison. Current methods 1) usually handle the sample selection and triggers in isolation, leading to severely limited improvements on both ASR and stealthiness. Consequently, attacks exhibit unsatisfactory performance on evaluation metrics when converted to PCBAs via a mere stacking of methods. Therefore, we seek to explore the bidirectional collaborative relations between the sample selection and triggers to address the above dilemma. 2) Since the strong specificity within triggers, the simple combination of sample selection and triggers fails to substantially enhance both evaluation metrics, with generalization preserved among various attacks. Therefore, we seek to propose a set of components to significantly improve both stealthiness and ASR based on the commonalities of attacks. Specifically, Component A ascertains two critical selection factors, and then makes them an appropriate combination based on the trigger scale to select more reasonable ``hard'' samples for improving ASR. Component B is proposed to select samples with similarities to relevant trigger implanted samples to promote stealthiness. Component C reassigns trigger poisoning intensity on RGB colors through distinct sensitivity of the human visual system to RGB for higher ASR, with stealthiness ensured by sample selection, including Component B. Furthermore, all components can be strategically integrated into diverse PCBAs.