AnonymousAuthor(s) Affiliation Address email ATheOmittedProofs1

Figure 1: The example of samples involved in different backdoor watermarks. In the BadNets, blended attack, WaNet, and UBW-P, the labels of poisoned samples are inconsistent with their ground-truthones. In particular, since the label-consistent attack can only modify samples from the target73 class, itspoisoning rateissettoitsmaximum (i.e.,0.02)ontheImageNet dataset. Besides, following the classical settings in existing papers,75 we adopt awhite-black square as the trigger pattern for BadNets, blended attack, label-consistent76 attack, and UBW-P on both datasets. As shown in Table 2, the attack success rate increases with the increase of trigger size.128