-
Backdoor attack injects some attacker-specified patterns in the poisoned image and replace the corresponding label with a pre-defined target label.
-
Existing backdoor attacks are easily defensed because the backdoor triggers are sample-agnostic
-
we generate sample-specific invisible additive noises as backdoor triggers by encoding an attacker specified string into benign images through an encoder-decoder network. They proposed a strategy which generated poisoned images by blending the backdoor trigger with benign images instead of by stamping directly.
-
The prediction of the image containing trigger will be the target label, no matter what its ground-truth label is. And attackers have three main goals: effectiveness, stealthiness, sustainability. The effectiveness requires that the prediction of attacked DNNs should be the target label when the backdoor trigger appears, and the performance on benign testing samples will not be significantly reduced; The stealthiness requires that adopted triggers should be concealed and the proportion of poison samples (I,e: the poisoning rate) should be small; The sustainability requires that the attack should still be effective under some common backdoor defenses.
-
Framework:
扫一扫
02-02
932
932
08-14
5486
5486
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
