Core Concepts
Horizontal class backdoor (HCB) attacks can trivially breach the class dependence characteristic of existing vertical class backdoor (VCB) attacks, enabling a simple yet effective backdoor that is independent of the source class.
Abstract
The paper introduces a new type of backdoor attack called the horizontal class backdoor (HCB), which distinguishes itself from existing vertical class backdoor (VCB) attacks.
Key highlights:
HCB attacks eliminate the reliance on class-dependence, where the backdoor effect is triggered when samples with an innocuous feature (e.g., weather conditions, facial expressions) carry the trigger, regardless of the class.
HCB attacks can be easily implemented through data poisoning, where a small fraction of training data is manipulated to create "effective" samples that exhibit the backdoor behavior when the trigger is present, and "non-effective" samples that behave normally.
Extensive experiments on diverse tasks like MNIST, facial recognition, traffic sign recognition, object detection, and medical diagnosis confirm the high efficiency and effectiveness of HCB attacks.
HCB attacks demonstrate evasiveness against a comprehensive set of 11 representative countermeasures designed to detect and mitigate VCB attacks, including Fine-Pruning, STRIP, Neural Cleanse, ABS, Februus, NAD, MNTD, SCAn, MOTH, Beatrix, and MM-BD.
The simplicity and generality of HCB attacks highlight the need to uncover unknown backdoor types and develop comprehensive defenses capable of addressing all forms of backdoor attacks, beyond the narrow focus on VCB.
Stats
HCB attacks can achieve an attack success rate (ASR) close to 100% while maintaining clean data accuracy (CDA) comparable to clean models.
The false positive rate for effective samples (FPRES) and non-effective samples (FPRNES) can be kept below 3% in the model outsourcing scenario.
Quotes
"Horizontal class backdoor (HCB) attacks can trivially breach the class dependence characteristic of existing vertical class backdoor (VCB) attacks, enabling a simple yet effective backdoor that is independent of the source class."
"Extensive experiments on diverse tasks like MNIST, facial recognition, traffic sign recognition, object detection, and medical diagnosis confirm the high efficiency and effectiveness of HCB attacks."
"HCB attacks demonstrate evasiveness against a comprehensive set of 11 representative countermeasures designed to detect and mitigate VCB attacks."