Better Trigger Inversion Optimization in Backdoor Scanning
Abstract
Backdoor attacks aim to cause misclassification of a subject model by stamping a trigger to inputs. Backdoors could be injected through malicious training and naturally exist. Deriving backdoor trigger for a subject model is critical to both attack and defense. A popular trigger inversion method is by optimization. Existing methods are based on finding a smallest trigger that can uniformly flip a set of input samples by minimizing a mask. The mask defines the set of pixels that ought to be perturbed. We develop a new optimization method that directly minimizes individual pixel changes, without using a mask. Our experiments show that compared to existing methods, the new one can generate triggers that require a smaller number of input pixels to be perturbed, have a higher attack success rate, and are more robust. They are hence more desirable when used in real-world attacks and more effective when used in defense. Our method is also more cost-effective.
Cite
Text
Tao et al. "Better Trigger Inversion Optimization in Backdoor Scanning." Conference on Computer Vision and Pattern Recognition, 2022. doi:10.1109/CVPR52688.2022.01301Markdown
[Tao et al. "Better Trigger Inversion Optimization in Backdoor Scanning." Conference on Computer Vision and Pattern Recognition, 2022.](https://mlanthology.org/cvpr/2022/tao2022cvpr-better/) doi:10.1109/CVPR52688.2022.01301BibTeX
@inproceedings{tao2022cvpr-better,
title = {{Better Trigger Inversion Optimization in Backdoor Scanning}},
author = {Tao, Guanhong and Shen, Guangyu and Liu, Yingqi and An, Shengwei and Xu, Qiuling and Ma, Shiqing and Li, Pan and Zhang, Xiangyu},
booktitle = {Conference on Computer Vision and Pattern Recognition},
year = {2022},
pages = {13368-13378},
doi = {10.1109/CVPR52688.2022.01301},
url = {https://mlanthology.org/cvpr/2022/tao2022cvpr-better/}
}