Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

IU: Imperceptible Universal Backdoor Attack

Hsin Lin, Yan-Lun Chen, Ren-Hung Hwang, Chia-Mu Yu

TL;DR

A novel imperceptible universal backdoor attack that simultaneously controls all target classes with minimal poisoning while preserving stealth is introduced, using graph convolutional networks to model inter-class relationships and generate class-specific perturbations that are both effective and visually invisible.

Abstract

Backdoor attacks pose a critical threat to the security of deep neural networks, yet existing efforts on universal backdoors often rely on visually salient patterns, making them easier to detect and less practical at scale. In this work, we introduce a novel imperceptible universal backdoor attack that simultaneously controls all target classes with minimal poisoning while preserving stealth. Our key idea is to leverage graph convolutional networks (GCNs) to model inter-class relationships and generate class-specific perturbations that are both effective and visually invisible. The proposed framework optimizes a dual-objective loss that balances stealthiness (measured by perceptual similarity metrics such as PSNR) and attack success rate (ASR), enabling scalable, multi-target backdoor injection. Extensive experiments on ImageNet-1K with ResNet architectures demonstrate that our method achieves high ASR (up to 91.3%) under poisoning rates as low as 0.16%, while maintaining benign accuracy and evading state-of-the-art defenses. These results highlight the emerging risks of invisible universal backdoors and call for more robust detection and mitigation strategies.

IU: Imperceptible Universal Backdoor Attack

TL;DR

A novel imperceptible universal backdoor attack that simultaneously controls all target classes with minimal poisoning while preserving stealth is introduced, using graph convolutional networks to model inter-class relationships and generate class-specific perturbations that are both effective and visually invisible.

Abstract

Backdoor attacks pose a critical threat to the security of deep neural networks, yet existing efforts on universal backdoors often rely on visually salient patterns, making them easier to detect and less practical at scale. In this work, we introduce a novel imperceptible universal backdoor attack that simultaneously controls all target classes with minimal poisoning while preserving stealth. Our key idea is to leverage graph convolutional networks (GCNs) to model inter-class relationships and generate class-specific perturbations that are both effective and visually invisible. The proposed framework optimizes a dual-objective loss that balances stealthiness (measured by perceptual similarity metrics such as PSNR) and attack success rate (ASR), enabling scalable, multi-target backdoor injection. Extensive experiments on ImageNet-1K with ResNet architectures demonstrate that our method achieves high ASR (up to 91.3%) under poisoning rates as low as 0.16%, while maintaining benign accuracy and evading state-of-the-art defenses. These results highlight the emerging risks of invisible universal backdoors and call for more robust detection and mitigation strategies.
Paper Structure (38 sections, 2 theorems, 20 equations, 7 figures, 16 tables, 1 algorithm)

This paper contains 38 sections, 2 theorems, 20 equations, 7 figures, 16 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Backdoor Attacks
  4. Backdoor Defenses
  5. Proposed Method
  6. Threat Model
  7. Enhancing Cross-Class Attack Dependency
  8. Attack Pipeline
  9. Phase 1: Invisible Trigger Training
  10. Phase 2: Data Poisoning
  11. Phase 3: Backdoor Inference
  12. Theoretical Justification
  13. Evaluation
  14. Experimental Setup
  15. Backdoor Efficiency
  16. ...and 23 more sections

Key Result

Proposition 1

Under (A1)--(A3), for each $k\neq y'$, $\Pr(\Delta_{y',k}\le 0)\le \exp\!(-\mu^2/(2\sigma^2)).$ Consequently,

Figures (7)

  • Figure 1: Illustration of all-to-one vs. universal backdoor attacks.
  • Figure 2: Overview of the proposed backdoor attack pipeline.
  • Figure 3: Visual comparison of different triggers with different PSNR threshold $p$. An enlarged version is shown in Figure \ref{['fig:appendix_image']}.
  • Figure 4: ASR vs. PSNR (dB) for different Poison Rates
  • Figure 5: t-SNE visualization of feature embeddings from later layers. Clean (blue) and poisoned samples (red) largely overlap.
  • ...and 2 more figures

Theorems & Definitions (2)

  • Proposition 1: Per-class tail and union bound
  • Corollary 1: TSI threshold for a target success level