关键词: 深度学习, 后门攻击, 干净标签攻击, 显著性区域, 特征分离

Abstract: With the widespread application of deep learning technology, there are more and more backdoor attacks on deep learning models. The research on backdoor attacks is of great significance in revealing security risks in the field of artificial intelligence. To address the limitations of existing clean-label backdoor attacks, such as low feasibility in practical scenarios, insufficient stealthiness, and poor attack effectiveness, a method for local dynamic clean-label backdoor attacks with image salience regions is proposed. Under the premise of having access to only a small amount of target class data, the proposed method first introduces a surrogate model training approach and employs Implicit Semantic Data Augmentation (ISDA) to enhance sample diversity during the training phase. Subsequently, the perturbation that matches the target class is generated using the Mini-batch Stochastic Gradient Descent (MBSGD) optimization algorithm. To further enhance the attack's effectiveness, a Feature Disentanglement Regularization (FDR) method is designed to amplify the differences between the features of poisoned images and clean images. To improve the stealthiness and robustness of the attack, the Grad-CAM (Grad-CAM) algorithm is utilized to extract the saliency regions of the input images, restricting perturbations to these key pixels and ensuring the trigger exhibits localized dynamic behavior. Experiments have shown that even with a poison rate below 0.05%, the method still outperforms some advanced clean label attacks,and poses a threat to existing defense methods.

Key words: deep learning, backdoor attack, clean-label attack, saliency regions, feature disentanglement