Not All Samples Are Born Equal: Towards Effective Clean-Label Backdoor Attacks

•We reveal that the difficulty of clean-label backdoor attacks is mostly due to the antagonistic effects of ‘robust features’ and verify that DNNs have different learning abilities for different samples.•We revisit the paradigm of existing clean-label backdoor attacks and propose a new complementary...

Full description

Saved in:
Bibliographic Details
Published in:Pattern recognition 2023-07, Vol.139, p.109512, Article 109512
Main Authors: Gao, Yinghua, Li, Yiming, Zhu, Linghui, Wu, Dongxian, Jiang, Yong, Xia, Shu-Tao
Format: Article
Language:English
Subjects:
AI Security
Backdoor attack
Clean-label attack
Deep learning
Sample selection
Trustworthy ML
Citations: Items that this one cites
Items that cite this one
Online Access:Get full text
Tags: Add Tag
No Tags, Be the first to tag this record!
cited_by cdi_FETCH-LOGICAL-c306t-282d5b47b7d960eaa7c76f660d600a21ad694583dc73b34168f38d929319665b3
cites cdi_FETCH-LOGICAL-c306t-282d5b47b7d960eaa7c76f660d600a21ad694583dc73b34168f38d929319665b3
container_end_page
container_issue
container_start_page 109512
container_title Pattern recognition
container_volume 139
creator Gao, Yinghua
Li, Yiming
Zhu, Linghui
Wu, Dongxian
Jiang, Yong
Xia, Shu-Tao
description •We reveal that the difficulty of clean-label backdoor attacks is mostly due to the antagonistic effects of ‘robust features’ and verify that DNNs have different learning abilities for different samples.•We revisit the paradigm of existing clean-label backdoor attacks and propose a new complementary paradigm by considering the different learning difficulties of samples.•We empirically verify the effectiveness and the poisoning transferability of our method on benchmark datasets and discuss its intrinsic mechanism. Recent studies demonstrated that deep neural networks (DNNs) are vulnerable to backdoor attacks. The attacked model behaves normally on benign samples, while its predictions are misled whenever adversary-specified trigger patterns appear. Currently, clean-label backdoor attacks are usually regarded as the most stealthy methods in which adversaries can only poison samples from the target class without modifying their labels. However, these attacks can hardly succeed. In this paper, we reveal that the difficulty of clean-label attacks mainly lies in the antagonistic effects of ‘robust features’ related to the target class contained in poisoned samples. Specifically, robust features tend to be easily learned by victim models and thus undermine the learning of trigger patterns. Based on these understandings, we propose a simple yet effective plug-in method to enhance clean-label backdoor attacks by poisoning ‘hard’ instead of random samples. We adopt three classical difficulty metrics as examples to implement our method. We demonstrate that our method can consistently improve vanilla attacks, based on extensive experiments on benchmark datasets.
doi_str_mv 10.1016/j.patcog.2023.109512
format article
fullrecord <record><control><sourceid>elsevier_cross</sourceid><recordid>TN_cdi_crossref_primary_10_1016_j_patcog_2023_109512</recordid><sourceformat>XML</sourceformat><sourcesystem>PC</sourcesystem><els_id>S0031320323002121</els_id><sourcerecordid>S0031320323002121</sourcerecordid><originalsourceid>FETCH-LOGICAL-c306t-282d5b47b7d960eaa7c76f660d600a21ad694583dc73b34168f38d929319665b3</originalsourceid><addsrcrecordid>eNp9kM1OwzAQhC0EEuXnDTj4BVLWdmInHJDSqvxIVTlQztbGdlCKWxc7FPH2pApnTrva1YxmPkJuGEwZMHm7me6xN-F9yoGL4VQVjJ-QCSuVyAqW81MyARAsExzEOblIaQPA1PCYkNUq9LT2nr7idu9donV0dBbiji4-v9Df0XX4xmgTXbStM313cHTuHe6yJTbO0xmaDxtCpHXfD2u6Imct-uSu_-YleXtYrOdP2fLl8XleLzMjQPYZL7ktmlw1ylYSHKIySrZSgpUAyBlaWeVFKaxRohE5k2UrSlvxSrBKyqIRlyQffU0MKUXX6n3sthh_NAN9ZKI3emSij0z0yGSQ3Y8yN2Q7dC7qZDq3M852cWinbej-N_gFrLVqPA</addsrcrecordid><sourcetype>Aggregation Database</sourcetype><iscdi>true</iscdi><recordtype>article</recordtype></control><display><type>article</type><title>Not All Samples Are Born Equal: Towards Effective Clean-Label Backdoor Attacks</title><source>Elsevier</source><creator>Gao, Yinghua ; Li, Yiming ; Zhu, Linghui ; Wu, Dongxian ; Jiang, Yong ; Xia, Shu-Tao</creator><creatorcontrib>Gao, Yinghua ; Li, Yiming ; Zhu, Linghui ; Wu, Dongxian ; Jiang, Yong ; Xia, Shu-Tao</creatorcontrib><description>•We reveal that the difficulty of clean-label backdoor attacks is mostly due to the antagonistic effects of ‘robust features’ and verify that DNNs have different learning abilities for different samples.•We revisit the paradigm of existing clean-label backdoor attacks and propose a new complementary paradigm by considering the different learning difficulties of samples.•We empirically verify the effectiveness and the poisoning transferability of our method on benchmark datasets and discuss its intrinsic mechanism. Recent studies demonstrated that deep neural networks (DNNs) are vulnerable to backdoor attacks. The attacked model behaves normally on benign samples, while its predictions are misled whenever adversary-specified trigger patterns appear. Currently, clean-label backdoor attacks are usually regarded as the most stealthy methods in which adversaries can only poison samples from the target class without modifying their labels. However, these attacks can hardly succeed. In this paper, we reveal that the difficulty of clean-label attacks mainly lies in the antagonistic effects of ‘robust features’ related to the target class contained in poisoned samples. Specifically, robust features tend to be easily learned by victim models and thus undermine the learning of trigger patterns. Based on these understandings, we propose a simple yet effective plug-in method to enhance clean-label backdoor attacks by poisoning ‘hard’ instead of random samples. We adopt three classical difficulty metrics as examples to implement our method. We demonstrate that our method can consistently improve vanilla attacks, based on extensive experiments on benchmark datasets.</description><identifier>ISSN: 0031-3203</identifier><identifier>EISSN: 1873-5142</identifier><identifier>DOI: 10.1016/j.patcog.2023.109512</identifier><language>eng</language><publisher>Elsevier Ltd</publisher><subject>AI Security ; Backdoor attack ; Clean-label attack ; Deep learning ; Sample selection ; Trustworthy ML</subject><ispartof>Pattern recognition, 2023-07, Vol.139, p.109512, Article 109512</ispartof><rights>2023 Elsevier Ltd</rights><lds50>peer_reviewed</lds50><woscitedreferencessubscribed>false</woscitedreferencessubscribed><citedby>FETCH-LOGICAL-c306t-282d5b47b7d960eaa7c76f660d600a21ad694583dc73b34168f38d929319665b3</citedby><cites>FETCH-LOGICAL-c306t-282d5b47b7d960eaa7c76f660d600a21ad694583dc73b34168f38d929319665b3</cites><orcidid>0000-0002-2258-265X</orcidid></display><links><openurl>$$Topenurl_article</openurl><openurlfulltext>$$Topenurlfull_article</openurlfulltext><thumbnail>$$Tsyndetics_thumb_exl</thumbnail><link.rule.ids>314,776,780,27903,27904</link.rule.ids></links><search><creatorcontrib>Gao, Yinghua</creatorcontrib><creatorcontrib>Li, Yiming</creatorcontrib><creatorcontrib>Zhu, Linghui</creatorcontrib><creatorcontrib>Wu, Dongxian</creatorcontrib><creatorcontrib>Jiang, Yong</creatorcontrib><creatorcontrib>Xia, Shu-Tao</creatorcontrib><title>Not All Samples Are Born Equal: Towards Effective Clean-Label Backdoor Attacks</title><title>Pattern recognition</title><description>•We reveal that the difficulty of clean-label backdoor attacks is mostly due to the antagonistic effects of ‘robust features’ and verify that DNNs have different learning abilities for different samples.•We revisit the paradigm of existing clean-label backdoor attacks and propose a new complementary paradigm by considering the different learning difficulties of samples.•We empirically verify the effectiveness and the poisoning transferability of our method on benchmark datasets and discuss its intrinsic mechanism. Recent studies demonstrated that deep neural networks (DNNs) are vulnerable to backdoor attacks. The attacked model behaves normally on benign samples, while its predictions are misled whenever adversary-specified trigger patterns appear. Currently, clean-label backdoor attacks are usually regarded as the most stealthy methods in which adversaries can only poison samples from the target class without modifying their labels. However, these attacks can hardly succeed. In this paper, we reveal that the difficulty of clean-label attacks mainly lies in the antagonistic effects of ‘robust features’ related to the target class contained in poisoned samples. Specifically, robust features tend to be easily learned by victim models and thus undermine the learning of trigger patterns. Based on these understandings, we propose a simple yet effective plug-in method to enhance clean-label backdoor attacks by poisoning ‘hard’ instead of random samples. We adopt three classical difficulty metrics as examples to implement our method. We demonstrate that our method can consistently improve vanilla attacks, based on extensive experiments on benchmark datasets.</description><subject>AI Security</subject><subject>Backdoor attack</subject><subject>Clean-label attack</subject><subject>Deep learning</subject><subject>Sample selection</subject><subject>Trustworthy ML</subject><issn>0031-3203</issn><issn>1873-5142</issn><fulltext>true</fulltext><rsrctype>article</rsrctype><creationdate>2023</creationdate><recordtype>article</recordtype><recordid>eNp9kM1OwzAQhC0EEuXnDTj4BVLWdmInHJDSqvxIVTlQztbGdlCKWxc7FPH2pApnTrva1YxmPkJuGEwZMHm7me6xN-F9yoGL4VQVjJ-QCSuVyAqW81MyARAsExzEOblIaQPA1PCYkNUq9LT2nr7idu9donV0dBbiji4-v9Df0XX4xmgTXbStM313cHTuHe6yJTbO0xmaDxtCpHXfD2u6Imct-uSu_-YleXtYrOdP2fLl8XleLzMjQPYZL7ktmlw1ylYSHKIySrZSgpUAyBlaWeVFKaxRohE5k2UrSlvxSrBKyqIRlyQffU0MKUXX6n3sthh_NAN9ZKI3emSij0z0yGSQ3Y8yN2Q7dC7qZDq3M852cWinbej-N_gFrLVqPA</recordid><startdate>202307</startdate><enddate>202307</enddate><creator>Gao, Yinghua</creator><creator>Li, Yiming</creator><creator>Zhu, Linghui</creator><creator>Wu, Dongxian</creator><creator>Jiang, Yong</creator><creator>Xia, Shu-Tao</creator><general>Elsevier Ltd</general><scope>AAYXX</scope><scope>CITATION</scope><orcidid>https://orcid.org/0000-0002-2258-265X</orcidid></search><sort><creationdate>202307</creationdate><title>Not All Samples Are Born Equal: Towards Effective Clean-Label Backdoor Attacks</title><author>Gao, Yinghua ; Li, Yiming ; Zhu, Linghui ; Wu, Dongxian ; Jiang, Yong ; Xia, Shu-Tao</author></sort><facets><frbrtype>5</frbrtype><frbrgroupid>cdi_FETCH-LOGICAL-c306t-282d5b47b7d960eaa7c76f660d600a21ad694583dc73b34168f38d929319665b3</frbrgroupid><rsrctype>articles</rsrctype><prefilter>articles</prefilter><language>eng</language><creationdate>2023</creationdate><topic>AI Security</topic><topic>Backdoor attack</topic><topic>Clean-label attack</topic><topic>Deep learning</topic><topic>Sample selection</topic><topic>Trustworthy ML</topic><toplevel>peer_reviewed</toplevel><toplevel>online_resources</toplevel><creatorcontrib>Gao, Yinghua</creatorcontrib><creatorcontrib>Li, Yiming</creatorcontrib><creatorcontrib>Zhu, Linghui</creatorcontrib><creatorcontrib>Wu, Dongxian</creatorcontrib><creatorcontrib>Jiang, Yong</creatorcontrib><creatorcontrib>Xia, Shu-Tao</creatorcontrib><collection>CrossRef</collection><jtitle>Pattern recognition</jtitle></facets><delivery><delcategory>Remote Search Resource</delcategory><fulltext>fulltext</fulltext></delivery><addata><au>Gao, Yinghua</au><au>Li, Yiming</au><au>Zhu, Linghui</au><au>Wu, Dongxian</au><au>Jiang, Yong</au><au>Xia, Shu-Tao</au><format>journal</format><genre>article</genre><ristype>JOUR</ristype><atitle>Not All Samples Are Born Equal: Towards Effective Clean-Label Backdoor Attacks</atitle><jtitle>Pattern recognition</jtitle><date>2023-07</date><risdate>2023</risdate><volume>139</volume><spage>109512</spage><pages>109512-</pages><artnum>109512</artnum><issn>0031-3203</issn><eissn>1873-5142</eissn><abstract>•We reveal that the difficulty of clean-label backdoor attacks is mostly due to the antagonistic effects of ‘robust features’ and verify that DNNs have different learning abilities for different samples.•We revisit the paradigm of existing clean-label backdoor attacks and propose a new complementary paradigm by considering the different learning difficulties of samples.•We empirically verify the effectiveness and the poisoning transferability of our method on benchmark datasets and discuss its intrinsic mechanism. Recent studies demonstrated that deep neural networks (DNNs) are vulnerable to backdoor attacks. The attacked model behaves normally on benign samples, while its predictions are misled whenever adversary-specified trigger patterns appear. Currently, clean-label backdoor attacks are usually regarded as the most stealthy methods in which adversaries can only poison samples from the target class without modifying their labels. However, these attacks can hardly succeed. In this paper, we reveal that the difficulty of clean-label attacks mainly lies in the antagonistic effects of ‘robust features’ related to the target class contained in poisoned samples. Specifically, robust features tend to be easily learned by victim models and thus undermine the learning of trigger patterns. Based on these understandings, we propose a simple yet effective plug-in method to enhance clean-label backdoor attacks by poisoning ‘hard’ instead of random samples. We adopt three classical difficulty metrics as examples to implement our method. We demonstrate that our method can consistently improve vanilla attacks, based on extensive experiments on benchmark datasets.</abstract><pub>Elsevier Ltd</pub><doi>10.1016/j.patcog.2023.109512</doi><orcidid>https://orcid.org/0000-0002-2258-265X</orcidid></addata></record>
fulltext fulltext
identifier ISSN: 0031-3203
ispartof Pattern recognition, 2023-07, Vol.139, p.109512, Article 109512
issn 0031-3203
1873-5142
language eng
recordid cdi_crossref_primary_10_1016_j_patcog_2023_109512
source Elsevier
subjects AI Security
Backdoor attack
Clean-label attack
Deep learning
Sample selection
Trustworthy ML
title Not All Samples Are Born Equal: Towards Effective Clean-Label Backdoor Attacks
url http://sfxeu10.hosted.exlibrisgroup.com/loughborough?ctx_ver=Z39.88-2004&ctx_enc=info:ofi/enc:UTF-8&ctx_tim=2025-01-22T22%3A46%3A34IST&url_ver=Z39.88-2004&url_ctx_fmt=infofi/fmt:kev:mtx:ctx&rfr_id=info:sid/primo.exlibrisgroup.com:primo3-Article-elsevier_cross&rft_val_fmt=info:ofi/fmt:kev:mtx:journal&rft.genre=article&rft.atitle=Not%20All%20Samples%20Are%20Born%20Equal:%20Towards%20Effective%20Clean-Label%20Backdoor%20Attacks&rft.jtitle=Pattern%20recognition&rft.au=Gao,%20Yinghua&rft.date=2023-07&rft.volume=139&rft.spage=109512&rft.pages=109512-&rft.artnum=109512&rft.issn=0031-3203&rft.eissn=1873-5142&rft_id=info:doi/10.1016/j.patcog.2023.109512&rft_dat=%3Celsevier_cross%3ES0031320323002121%3C/elsevier_cross%3E%3Cgrp_id%3Ecdi_FETCH-LOGICAL-c306t-282d5b47b7d960eaa7c76f660d600a21ad694583dc73b34168f38d929319665b3%3C/grp_id%3E%3Coa%3E%3C/oa%3E%3Curl%3E%3C/url%3E&rft_id=info:oai/&rft_id=info:pmid/&rfr_iscdi=true