Deep neural networks (DNNs) are vulnerable to backdoor attacks, where the adversary manipulates a small portion of training data such that the victim model predicts normally on the benign samples but classifies the triggered samples as the target class. The backdoor attack is an emerging yet threatening training-phase threat, leading to serious risks in DNN-based applications. In this paper, we revisit the trigger patterns of existing backdoor attacks. We reveal that they are either visible or not sparse and therefore are not stealthy enough. More importantly, it is not feasible to simply combine existing methods to design an effective sparse and invisible backdoor attack. To address this problem, we formulate the trigger generation as a bi-level optimization problem with sparsity and invisibility constraints and propose an effective method to solve it. The proposed method is dubbed sparse and invisible backdoor attack (SIBA). We conduct extensive experiments on benchmark datasets under different settings, which verify the effectiveness of our attack and its resistance to existing backdoor defenses. The codes for reproducing main experiments are available at https://github.com/YinghuaGao/SIBA .

中文翻译：

---

稀疏且隐形触发的后门攻击


深度神经网络 (DNN) 很容易受到后门攻击，其中攻击者操纵一小部分训练数据，使受害者模型能够正常预测良性样本，但将触发的样本分类为目标类别。后门攻击是一种新兴但具有威胁性的训练阶段威胁，会导致基于 DNN 的应用程序面临严重风险。在本文中，我们重新审视现有后门攻击的触发模式。我们发现它们要么是可见的，要么是不稀疏的，因此不够隐蔽。更重要的是，简单地结合现有方法来设计有效的稀疏且隐形的后门攻击是不可行的。为了解决这个问题，我们将触发器生成制定为具有稀疏性和不可见性约束的双层优化问题，并提出了一种有效的解决方法。所提出的方法被称为稀疏和隐形后门攻击（SIBA）。我们在不同设置下的基准数据集上进行了广泛的实验，验证了我们的攻击的有效性及其对现有后门防御的抵抗力。重现主要实验的代码可在 https://github.com/YinghuaGao/SIBA 获取。