MLaaS are limited by their reliance on training samples or white-box model analysis, highlighting the need for a black-box backdoor purification method.

Earlier research highlighted DMs' vulnerability todatapoisoning attacks, butthese studies placed stricter requirements than conventional methods like'BadNets' inimage classification.

Visual object tracking (VOT) is one of the most fundamental tasks in computer vision community. State-of-the-art VOT trackers extract positive and negative examples that are used to guide the tracker to distinguish the object from the background. In this paper, we show that this characteristic can be exploited to introduce new threats and hence propose a simple yet effective poison-only backdoor attack.

In recent years, machine learning models have been shown to be vulnerable to backdoor attacks.

Do the main claims made in the abstract and introduction accurately reflect the paper's Did you discuss any potential negative societal impacts of your work? Did you state the full set of assumptions of all theoretical results? If you ran experiments... (a) Did you include the code, data, and instructions needed to reproduce the main experimental results (either in the supplemental material or as a URL)? [No] The code will Did you specify all the training details (e.g., data splits, hyperparameters, how they Did you report error bars (e.g., with respect to the random seed after running experiments multiple times)? Did you include the total amount of compute and the type of resources used (e.g., type Did you include any new assets either in the supplemental material or as a URL? [N/A] Did you discuss whether and how consent was obtained from people whose data you're If you used crowdsourcing or conducted research with human subjects... (a) We trained backdoored model for 100 epochs using Stochastic Gradient Descent (SGD) with an initial learning rate of 0.1 on CIFAR-10 and the ImageNet subset (0.01 on GTSRB), a weight decay of The learning rate was divided by 10 at the 20th and the 70th epochs. The details of backdoor triggers are summarized in Table 5. ASR: attack success rate; CA: clean accuracy.

Figure 1: The example of samples involved in different backdoor watermarks. In the BadNets, blended attack, WaNet, and UBW-P, the labels of poisoned samples are inconsistent with their ground-truthones. In particular, since the label-consistent attack can only modify samples from the target73 class, itspoisoning rateissettoitsmaximum (i.e.,0.02)ontheImageNet dataset. Besides, following the classical settings in existing papers,75 we adopt awhite-black square as the trigger pattern for BadNets, blended attack, label-consistent76 attack, and UBW-P on both datasets. As shown in Table 2, the attack success rate increases with the increase of trigger size.128