Impart: An Imperceptible and Effective Label-Specific Backdoor Attack

Deep Neural Networks (DNNs) have achieved remarkable success in the past few years and they have been adopted in different applications (e.g., image classification (He, Zhang, Ren and Sun, 2016a), speech recognition (Xiong, Droppo, Huang, Seide, Seltzer, Stolcke, Yu and Zweig, 2016), game playing and natural language processing (Silver, Huang, Maddison, Guez, Sifre, Van Den Driessche, Schrittwieser, Antonoglou, Panneershelvam, Lanctot et al., 2016; Devlin, Chang, Lee and Toutanova, 2019)). However, with the deepening research on several real securitycritical scenarios, recent works show that even the state-of-the-art deep learning methods are vulnerable to backdoor attacks (Gu, Dolan-Gavitt and Garg, 2017; Barni, Kallas and Tondi, 2019; Cheng, Liu, Ma and Zhang, 2021; Li, Li, Wu, Li, He and Lyu, 2021a; Cheng, Wu, Zhang and Zhao, 2023). In backdoor attacks, an attacker injects a trigger into the victim model in the training process. The victim model performs normally as a benign model in the inference phase when the inputs are benign images. However, once the victim model is fed an input image with the backdoor trigger, the victim model behaves as the attacker predetermined. In the backdoor attack, there are two typical types of attack settings (Li, Jiang, Li and Xia, 2022): one is to poison different target labels (a.k.a., all-to-all), and the other is to poison one target label (a.k.a., all-to-one). Recent research on the backdoor attack for deep learning has focused on generating poisoned images that lead to misclassification results while keeping imperceptibility. LIRA (Doan, Lao, Zhao and Li, 2021b) and WB (Doan, Lao and Li, 2021a) have achieved effective and imperceptible backdoor attacks. However, they assume that the attacker has full access to the model information (e.g., model architecture, and model parameters), which significantly reduces their threats in practice.