An Invisible Black-Box Backdoor Attack Through Frequency Domain

Tong Wang; Yuan Yao; Feng Xu; Shengwei An; Hanghang Tong; Ting Wang

doi:10.1007/978-3-031-19778-9_23

An Invisible Black-Box Backdoor Attack Through Frequency Domain

Tong Wang
, Yuan Yao
, Feng Xu
, Shengwei An
, Hanghang Tong
, Ting Wang

Computer Science

Nanjing University
Purdue University
University of Illinois at Urbana-Champaign

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

101 Scopus citations

Abstract

Backdoor attacks have been shown to be a serious threat against deep learning systems such as biometric authentication and autonomous driving. An effective backdoor attack could enforce the model misbehave under certain predefined conditions, i.e., triggers, but behave normally otherwise. The triggers of existing attacks are mainly injected in the pixel space, which tend to be visually identifiable at both training and inference stages and detectable by existing defenses. In this paper, we propose a simple but effective and invisible black-box backdoor attack FTrojan through trojaning the frequency domain. The key intuition is that triggering perturbations in the frequency domain correspond to small pixel-wise perturbations dispersed across the entire image, breaking the underlying assumptions of existing defenses and making the poisoning images visually indistinguishable from clean ones. Extensive experimental evaluations show that FTrojan is highly effective and the poisoning images retain high perceptual quality. Moreover, we show that FTrojan can robustly elude or significantly degenerate the performance of existing defenses.

Original language	English
Title of host publication	Computer Vision – ECCV 2022 - 17th European Conference, Proceedings
Editors	Shai Avidan, Gabriel Brostow, Moustapha Cissé, Giovanni Maria Farinella, Tal Hassner
Publisher	Springer Science and Business Media Deutschland GmbH
Pages	396-413
Number of pages	18
ISBN (Print)	9783031197772
DOIs	https://doi.org/10.1007/978-3-031-19778-9_23
State	Published - 2022
Event	17th European Conference on Computer Vision, ECCV 2022 - Tel Aviv, Israel Duration: Oct 23 2022 → Oct 27 2022

Publication series

Name	Lecture Notes in Computer Science
Volume	13673 LNCS
ISSN (Print)	0302-9743
ISSN (Electronic)	1611-3349

Conference

Conference	17th European Conference on Computer Vision, ECCV 2022
Country/Territory	Israel
City	Tel Aviv
Period	10/23/22 → 10/27/22

Keywords

Backdoor attack
Black-box attack
Frequency domain
Invisibility

Access to Document

10.1007/978-3-031-19778-9_23

Cite this

Wang, T., Yao, Y., Xu, F., An, S., Tong, H., & Wang, T. (2022). An Invisible Black-Box Backdoor Attack Through Frequency Domain. In S. Avidan, G. Brostow, M. Cissé, G. M. Farinella, & T. Hassner (Eds.), Computer Vision – ECCV 2022 - 17th European Conference, Proceedings (pp. 396-413). (Lecture Notes in Computer Science; Vol. 13673 LNCS). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-3-031-19778-9_23

Wang, Tong ; Yao, Yuan ; Xu, Feng et al. / An Invisible Black-Box Backdoor Attack Through Frequency Domain. Computer Vision – ECCV 2022 - 17th European Conference, Proceedings. editor / Shai Avidan ; Gabriel Brostow ; Moustapha Cissé ; Giovanni Maria Farinella ; Tal Hassner. Springer Science and Business Media Deutschland GmbH, 2022. pp. 396-413 (Lecture Notes in Computer Science).

@inproceedings{c3d48ab610fe43e9bef0ee4ef63a1f81,

title = "An Invisible Black-Box Backdoor Attack Through Frequency Domain",

abstract = "Backdoor attacks have been shown to be a serious threat against deep learning systems such as biometric authentication and autonomous driving. An effective backdoor attack could enforce the model misbehave under certain predefined conditions, i.e., triggers, but behave normally otherwise. The triggers of existing attacks are mainly injected in the pixel space, which tend to be visually identifiable at both training and inference stages and detectable by existing defenses. In this paper, we propose a simple but effective and invisible black-box backdoor attack FTrojan through trojaning the frequency domain. The key intuition is that triggering perturbations in the frequency domain correspond to small pixel-wise perturbations dispersed across the entire image, breaking the underlying assumptions of existing defenses and making the poisoning images visually indistinguishable from clean ones. Extensive experimental evaluations show that FTrojan is highly effective and the poisoning images retain high perceptual quality. Moreover, we show that FTrojan can robustly elude or significantly degenerate the performance of existing defenses.",

keywords = "Backdoor attack, Black-box attack, Frequency domain, Invisibility",

author = "Tong Wang and Yuan Yao and Feng Xu and Shengwei An and Hanghang Tong and Ting Wang",

note = "Publisher Copyright: {\textcopyright} 2022, The Author(s), under exclusive license to Springer Nature Switzerland AG.; 17th European Conference on Computer Vision, ECCV 2022 ; Conference date: 23-10-2022 Through 27-10-2022",

year = "2022",

doi = "10.1007/978-3-031-19778-9\_23",

language = "English",

isbn = "9783031197772",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "396--413",

editor = "Shai Avidan and Gabriel Brostow and Moustapha Ciss{\'e} and Farinella, \{Giovanni Maria\} and Tal Hassner",

booktitle = "Computer Vision – ECCV 2022 - 17th European Conference, Proceedings",

}

Wang, T, Yao, Y, Xu, F, An, S, Tong, H & Wang, T 2022, An Invisible Black-Box Backdoor Attack Through Frequency Domain. in S Avidan, G Brostow, M Cissé, GM Farinella & T Hassner (eds), Computer Vision – ECCV 2022 - 17th European Conference, Proceedings. Lecture Notes in Computer Science, vol. 13673 LNCS, Springer Science and Business Media Deutschland GmbH, pp. 396-413, 17th European Conference on Computer Vision, ECCV 2022, Tel Aviv, Israel, 10/23/22. https://doi.org/10.1007/978-3-031-19778-9_23

An Invisible Black-Box Backdoor Attack Through Frequency Domain. / Wang, Tong; Yao, Yuan; Xu, Feng et al.
Computer Vision – ECCV 2022 - 17th European Conference, Proceedings. ed. / Shai Avidan; Gabriel Brostow; Moustapha Cissé; Giovanni Maria Farinella; Tal Hassner. Springer Science and Business Media Deutschland GmbH, 2022. p. 396-413 (Lecture Notes in Computer Science; Vol. 13673 LNCS).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - An Invisible Black-Box Backdoor Attack Through Frequency Domain

AU - Wang, Tong

AU - Yao, Yuan

AU - Xu, Feng

AU - An, Shengwei

AU - Tong, Hanghang

AU - Wang, Ting

PY - 2022

Y1 - 2022

N2 - Backdoor attacks have been shown to be a serious threat against deep learning systems such as biometric authentication and autonomous driving. An effective backdoor attack could enforce the model misbehave under certain predefined conditions, i.e., triggers, but behave normally otherwise. The triggers of existing attacks are mainly injected in the pixel space, which tend to be visually identifiable at both training and inference stages and detectable by existing defenses. In this paper, we propose a simple but effective and invisible black-box backdoor attack FTrojan through trojaning the frequency domain. The key intuition is that triggering perturbations in the frequency domain correspond to small pixel-wise perturbations dispersed across the entire image, breaking the underlying assumptions of existing defenses and making the poisoning images visually indistinguishable from clean ones. Extensive experimental evaluations show that FTrojan is highly effective and the poisoning images retain high perceptual quality. Moreover, we show that FTrojan can robustly elude or significantly degenerate the performance of existing defenses.

AB - Backdoor attacks have been shown to be a serious threat against deep learning systems such as biometric authentication and autonomous driving. An effective backdoor attack could enforce the model misbehave under certain predefined conditions, i.e., triggers, but behave normally otherwise. The triggers of existing attacks are mainly injected in the pixel space, which tend to be visually identifiable at both training and inference stages and detectable by existing defenses. In this paper, we propose a simple but effective and invisible black-box backdoor attack FTrojan through trojaning the frequency domain. The key intuition is that triggering perturbations in the frequency domain correspond to small pixel-wise perturbations dispersed across the entire image, breaking the underlying assumptions of existing defenses and making the poisoning images visually indistinguishable from clean ones. Extensive experimental evaluations show that FTrojan is highly effective and the poisoning images retain high perceptual quality. Moreover, we show that FTrojan can robustly elude or significantly degenerate the performance of existing defenses.

KW - Backdoor attack

KW - Black-box attack

KW - Frequency domain

KW - Invisibility

UR - https://www.scopus.com/pages/publications/85142716504

U2 - 10.1007/978-3-031-19778-9_23

DO - 10.1007/978-3-031-19778-9_23

M3 - Conference contribution

AN - SCOPUS:85142716504

SN - 9783031197772

T3 - Lecture Notes in Computer Science

SP - 396

EP - 413

BT - Computer Vision – ECCV 2022 - 17th European Conference, Proceedings

A2 - Avidan, Shai

A2 - Brostow, Gabriel

A2 - Cissé, Moustapha

A2 - Farinella, Giovanni Maria

A2 - Hassner, Tal

PB - Springer Science and Business Media Deutschland GmbH

T2 - 17th European Conference on Computer Vision, ECCV 2022

Y2 - 23 October 2022 through 27 October 2022

ER -

Wang T, Yao Y, Xu F, An S, Tong H, Wang T. An Invisible Black-Box Backdoor Attack Through Frequency Domain. In Avidan S, Brostow G, Cissé M, Farinella GM, Hassner T, editors, Computer Vision – ECCV 2022 - 17th European Conference, Proceedings. Springer Science and Business Media Deutschland GmbH. 2022. p. 396-413. (Lecture Notes in Computer Science). doi: 10.1007/978-3-031-19778-9_23

An Invisible Black-Box Backdoor Attack Through Frequency Domain

Abstract

Publication series

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this