Local Dynamic Clean-Label Backdoor Attack with Image Salience Regions

doi:10.3778/j.issn.1673-9418.2411050

Abstract

Abstract: With the widespread application of deep learning technology, there are more and more backdoor attacks on deep learning models. The research on backdoor attacks is of great significance in revealing security risks in the field of artificial intelligence. To address the limitations of existing clean-label backdoor attacks, such as low feasibility in practical scenarios, insufficient stealthiness, and poor attack effectiveness, a method for local dynamic clean-label backdoor attacks with image salience regions is proposed. Under the premise of having access to only a small amount of target class data, the proposed method first introduces a surrogate model training approach and employs implicit semantic data augmentation (ISDA) to enhance sample diversity during the training phase. Subsequently, the perturbation that matches the target class is generated using the mini-batch stochastic gradient descent (MBSGD) optimization algorithm. To further enhance the attack??s effectiveness, a feature disentanglement regularization (FDR) method is designed to amplify the differences between the features of poisoned images and clean images. To improve the stealthiness and robustness of the attack, the Grad-CAM （gradient-weighted class activation mapping） algorithm is utilized to extract the saliency regions of the input images, restricting perturbations to these key pixels and ensuring the trigger exhibits localized dynamic behavior. Experimental results have shown that even with a poison rate below 0.05%, the method still outperforms some advanced clean label attacks, and poses a threat to existing defense methods.

Key words: deep learning, backdoor attack, clean-label attack, saliency regions, feature disentanglement

摘要： 随着深度学习技术的广泛应用，针对深度学习模型的后门攻击也越来越多。研究后门攻击对揭示人工智能领域存在的安全隐患具有重要意义。为改进现有干净标签后门攻击方法在实际场景下可行性较低、隐蔽性不够高、攻击效果不佳等问题，提出了一种结合图像显著性区域的局部动态干净标签后门攻击方法。在仅掌握少量目标类数据的前提下，该方法引入代理模型训练方法，并通过隐式语义数据增广（ISDA）在训练阶段增加样本多样性。利用小批量随机梯度下降（MBSGD）优化算法生成与目标类相匹配的扰动，并设计特征分离正则化（FDR）方法，扩大中毒图像特征与干净图像特征的差异，从而提高攻击的有效性。为了增强攻击的隐蔽性和鲁棒性，采用Grad-CAM算法提取输入图像的显著性区域，将扰动限制在这些关键像素上，使生成的中毒样本触发器具有局部动态性。实验结果表明，所提方法在不超过0.05%的低中毒率下，攻击性能仍能超过目前一些先进的干净标签攻击方法，对现有防御模型仍然具备威胁性。

关键词: 深度学习, 后门攻击, 干净标签攻击, 显著性区域, 特征分离

HONG Wei, GENG Peilin, WANG Hongyu, ZHANG Xueqin, GU Chunhua. Local Dynamic Clean-Label Backdoor Attack with Image Salience Regions[J]. Journal of Frontiers of Computer Science and Technology, 2025, 19(8): 2229-2240.

洪维, 耿沛霖, 王弘宇, 张雪芹, 顾春华. 结合图像显著性区域的局部动态干净标签后门攻击[J]. 计算机科学与探索, 2025, 19(8): 2229-2240.

References

[1] MI Y X, ZHONG Z Z, HUANG Y G, et al. Privacy-preserving face recognition using trainable feature subtraction[C]//Proceedings of the 2024 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2024: 297-307.
[2] WENG X S, IVANOVIC B, WANG Y, et al. PARA-drive: parallelized architecture for real-time autonomous driving[C]//Proceedings of the 2024 IEEE/CVF Conference on Computer Vision and Pattern Recognition. Piscataway: IEEE, 2024: 15449-15458.
[3] RANATHUNGA S, LEE E A, PRIFTI SKENDULI M, et al. Neural machine translation for low-resource languages: a survey[J]. ACM Computing Surveys, 2023, 55(11): 1-37.
[4] CHEN C, HU Y C, YANG C H, et al. HyPoradise: an open baseline for generative speech recognition with large language models[C]//Advances in Neural Information Processing Systems 36, 2024.
[5] 武家伟, 孙艳春. 融合知识图谱和深度学习方法的问诊推荐系统[J]. 计算机科学与探索, 2021, 15(8): 1432-1440.
WU J W, SUN Y C. Recommendation system for medical consultation integrating knowledge graph and deep learning methods[J]. Journal of Frontiers of Computer Science and Technology, 2021, 15(8): 1432-1440.
[6] GU T Y, LIU K, DOLAN-GAVITT B, et al. BadNets: evaluating backdooring attacks on deep neural networks[J]. IEEE Access, 2019, 7: 47230-47244.
[7] CHEN X, LIU C, LI B, et al. Targeted backdoor attacks on deep learning systems using data poisoning[EB/OL]. [2024-10-20]. https://arxiv.org/abs/1712.05526.
[8] LI Y Z, LI Y M, WU B Y, et al. Invisible backdoor attack with sample-specific triggers[C]//Proceedings of the 2021 IEEE/CVF International Conference on Computer Vision. Piscataway: IEEE, 2021: 16443-16452.
[9] ZHONG N, QIAN Z X, ZHANG X P. Imperceptible backdoor attack: from input space to feature representation[EB/OL]. [2024-10-20]. https://arxiv.org/abs/2205.03190.
[10] 杨舜, 陆恒杨. 结合扩散模型图像编辑的图文检索后门攻击[J]. 计算机科学与探索, 2024, 18(4): 1068-1082.
YANG S, LU H Y. Image-text retrieval backdoor attack with diffusion-based image-editing[J]. Journal of Frontiers of Computer Science and Technology, 2024, 18(4): 1068-1082.
[11] ZENG Y, PAN M Z, JUST H A, et al. NARCISSUS: a practical clean-label backdoor attack with limited information[C]//Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. New York: ACM, 2023: 771-785.
[12] WANG Y L, HUANG G, SONG S J, et al. Regularizing deep networks with semantic data augmentation[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022, 44(7): 3733-3748.
[13] SELVARAJU R R, COGSWELL M, DAS A, et al. Grad-CAM: visual explanations from deep networks via gradient-based localizationC]//Proceedings of the 16th IEEE International Conference on Computer Vision. Piscataway: IEEE, 2017: 618-626.
[14] BARNI M, KALLAS K, TONDI B. A new backdoor attack in CNNS by training set corruption without label poisoning[C]//Proceedings of the 2019 IEEE International Conference on Image Processing. Piscataway: IEEE, 2019: 101-105.
[15] TURNER A, TSIPRAS D, MADRY A. Label-consistent backdoor attacks[EB/OL]. [2024-10-20]. https://arxiv.org/abs/ 1912.02771.
[16] SAHA A, SUBRAMANYA A, PIRSIAVASH H. Hidden trigger backdoor attacks[J]. Proceedings of the AAAI Conference on Artificial Intelligence, 2020, 34(7): 11957-11965.
[17] SOURI H, GOLDBLUM M, FOWL L H, et al. Sleeper agent: scalable hidden trigger backdoors for neural networks trained from scratch[C]//Advances in Neural Information Processing Systems 35, 2022: 19165-19178.
[18] CHENG S Y, DONG Y P, PANG T Y, et al. Improving black-box adversarial attacks with a transfer-based prior[C]// Advances in Neural Information Processing Systems 32, 2019.
[19] QIN C L, MARTENS J, GOWAL S, et al. Adversarial robustness through local linearization[C]//Advances in Neural Information Processing Systems 32, 2019.
[20] KRIZHEVSKY A, HINTON G. Learning multiple layers of features from tiny images[J]. Handbook of Systemic Autoimmune Diseases, 2009, 1(4): 1-10.
[21] KUMAR N, BERG A C, BELHUMEUR P N, et al. Attribute and simile classifiers for face verification[C]//Proceedings of the 2009 IEEE 12th International Conference on Computer Vision. Piscataway: IEEE, 2009: 365-372.
[22] LE Y, YANG X S. Tiny ImageNet visual recognition challenge [EB/OL]. [2024-10-20]. http://vision.stanford.edu/teaching/cs231n/reports/2015/pdfs/yle_project.pdf.
[23] LIU Z W, LUO P, WANG X G, et al. Deep learning face attributes in the wild[C]//Proceedings of the 2015 IEEE International Conference on Computer Vision. Piscataway: IEEE, 2015: 3730-3738.
[24] GRIFFIN G, HOLUB A, PERONA P. Caltech-256 object category dataset: technical report 7694[R]. Pasadena: California Institute of Technology, 2007.
[25] WANG G H, MA H, GAO Y S, et al. One-to-multiple clean- label image camouflage (OmClic) based backdoor attack on deep learning[J]. Knowledge-Based Systems, 2024, 288: 111456.
[26] MCINNES L, HEALY J. UMAP: uniform manifold approximation and projection for dimension reduction[EB/OL].[2024-10-20]. https://arxiv.org/abs/1802.03426.
[27] GAO Y S, XU C G, WANG D R, el al. Strip: a defence against trojan attacks on deep neural networks[C]//Proceedings of the 35th Annual Computer Security Applications Conference. Piscataway: IEEE, 2019: 113-125.
[28] WANG B L, YAO Y S, SHAN S, et al. Neural cleanse: identifying and mitigating backdoor attacks in neural networks[C]//Proceedings of the 2019 IEEE Symposium on Security and Privacy. Piscataway: IEEE, 2019: 707-723.
[29] LIU K, DOLAN-GAVITT B, GARG S. Fine-pruning: defending against backdooring attacks on deep neural networks [C]//Proceedings of the 21st International Symposium on Research in Attacks, Intrusions, and Defenses. Cham: Springer, 2018: 273-294.