WICKED ODDITIES: SELECTIVELY POISONING FOR EFFECTIVE CLEAN-LABEL BACKDOOR ATTACKS

Deep neural networks are vulnerable to backdoor attacks, which poison the training data to manipulate the behavior of models trained on such data. Clean-label backdoor is a more stealthy form of attack, as they do not change the labels of the poisoned data. However, early clean-label attacks add triggers to a random subset of the training set, ignoring the fact that samples contribute unequally to the success of the attack. Consequently, they either require high poisoning rates or fail to achieve high attack success rates. To alleviate the problem, several supervised learning-based sample selection strategies have been proposed; these methods assume access to the entire labeled training set and require training, which can be expensive and may not always be practical. This work studies a new and more practical (but also more challenging) threat model where the attacker only provides data for the target class (e.g., in face recognition systems) and has no knowledge of the victim model or any other classes in the training set. We study different strategies for selectively poisoning a small set of training samples in the target class to boost the attack success rate in this setting. Our threat model poses a serious threat in training machine learning models with third-party datasets since the attack can be performed effectively with limited information. Extensive experiments on multiple benchmark datasets illustrate the effectiveness of our strategies in improving clean-label backdoor attacks. Our implementation is available here.