Invisible backdoor attack with attention and steganography

Recently, with the development and widespread application of deep neural networks (DNNs), backdoor attacks have posed new security threats to the training process of DNNs. Backdoor attacks on neural networks undermine the security and trustworthiness of DNNs by implanting hidden, unauthorized trigge...

Full description

Saved in:
Bibliographic Details
Published inComputer vision and image understanding Vol. 249; p. 104208
Main Authors Chen, Wenmin, Xu, Xiaowei, Wang, Xiaodong, Zhou, Huasong, Li, Zewen, Chen, Yangming
Format Journal Article
LanguageEnglish
Published Elsevier Inc 01.12.2024
Subjects
Backdoor attack
Spatial attention
Steganography
Steganography
Spatial attention
Backdoor attack
Online AccessGet full text

Cover

More Information
Summary:Recently, with the development and widespread application of deep neural networks (DNNs), backdoor attacks have posed new security threats to the training process of DNNs. Backdoor attacks on neural networks undermine the security and trustworthiness of DNNs by implanting hidden, unauthorized triggers, leading to benign behavior on clean samples while exhibiting malicious behavior on samples containing backdoor triggers. Existing backdoor attacks typically employ triggers that are sample-agnostic and identical for each sample, resulting in poisoned images that lack naturalness and are ineffective against existing backdoor defenses. To address these issues, this paper proposes a novel stealthy backdoor attack, where the backdoor trigger is dynamic and specific to each sample. Specifically, we leverage spatial attention on images and pre-trained models to obtain dynamic triggers, which are then injected using an encoder–decoder network. The design of the injection network benefits from recent advances in steganography research. To demonstrate the effectiveness of the proposed steganographic network, we design two backdoor attack modes named ASBA and ATBA, where ASBA utilizes the steganographic network for attack, while ATBA is a backdoor attack without steganography. Subsequently, we conducted attacks on Deep Neural Networks (DNNs) using four standard datasets. Our extensive experiments show that ASBA surpasses ATBA in terms of stealthiness and resilience against current defensive measures. Furthermore, both ASBA and ATBA demonstrate superior attack efficiency. [Display omitted] •Innovative Attack Method: Proposed a novel stealthy backdoor attack method that leverages spatial attention and pre-trained models to obtain dynamic triggers.•Steganography Application: Designed an encoder–decoder network based on steganography to inject backdoor triggers into images.•Dual-Mode Attack: Developed two attack modes—ASBA (using the steganographic network for the attack) and ATBA (attack using direct image fusion).•Efficiency: Both ASBA and ATBA demonstrated outstanding attack efficiency and stealthiness, proving their potential in practical applications.
ISSN:1077-3142
DOI:10.1016/j.cviu.2024.104208