Recently there has been many studies on backdoor attacks, which involve injecting poisoned samples into the training set in order to embed backdoors into the model. Existing multiple poisoned samples attacks usually r...
详细信息
ISBN:
(数字)9798350381993
ISBN:
(纸本)9798350382006
Recently there has been many studies on backdoor attacks, which involve injecting poisoned samples into the training set in order to embed backdoors into the model. Existing multiple poisoned samples attacks usually randomly select a subset from clean samples to generate the poisoned samples. Filtering-and-Updating Strategy (FUS) has shown that the poisoning efficiency of each poisoned sample is inconsistent and random selection is not optimal. However, FUS does not fully considered the selection of multiple poisoned samples, there are still some issues with the selection of multiple poisoned samples. In this paper, we formulate the selection of multiple types of poisoned samples as a multi-objective optimization problem and proposed a Multiple Poisoned Samples Selection Strategy (MPS) to solve the issue. Unlike FUS, we consider the potential of clean samples that are not selected as to become efficient poisoned samples. Specifically, we use a weight-based contribution approach to calculate the contribution of each sample (clean sample and poisoned sample) during the training process from multiple dimensions. Finally, based on the greedy approach, we retain a subset of samples with the largest contribution in each dimension through iterations. We evaluate the effectiveness of MPS on various attack methods, including BadNet, Blended, ISSBA, and WaNet, as well as benchmark datasets. The experimental results on CIFAR-10 and GTSRB show that MPS can increase the attack strength by 1.45% to 18.34% compared to RSS and 0.43% to 10.84% compared to FUS in multiple poisoned samples attacks, thereby enhancing the stealthiness of the attack. Meanwhile, MPS is suitable for black-box settings, meaning that poisoned samples selected in one setting can be applied to other settings.
暂无评论