Typical deep neural network (DNN) backdoor attacks are based on triggers embedded in inputs. Existing imperceptible triggers are computationally expensive or low in attack success. In this paper, we propose a new backdoor trigger, which is easy to generate, imperceptible, and highly effective. The new trigger is a uniformly randomly generated three-dimensional (3D) binary pattern that can be horizontally and/or vertically repeated and mirrored and superposed onto three-channel images for training a backdoored DNN model. Dispersed throughout an image, the new trigger produces weak perturbation to individual pixels, but collectively holds a strong recognizable pattern to train and activate the backdoor of the DNN. We also analytically reveal that the trigger is increasingly effective with the improving resolution of the images. Experiments are conducted using the ResNet-18 and MLP models on the MNIST, CIFAR-10, and BTSR datasets. In terms of imperceptibility, the new trigger outperforms existing triggers, such as BadNets, Trojaned NN, and Hidden Backdoor, by over an order of magnitude. The new trigger achieves an almost 100% attack success rate, only reduces the classification accuracy by less than 0.7%–2.4%, and invalidates the state-of-the-art defense techniques.

中文翻译：

---

基于分散像素扰动的图像分类器模型不可察觉的后门触发器


典型的深度神经网络 (DNN) 后门攻击基于嵌入在输入中的触发器。现有的难以察觉的触发器的计算成本很高，或者攻击成功率很低。在本文中，我们提出了一种新的后门触发器，它易于生成、不易察觉且高效。新的触发器是均匀随机生成的三维 (3D) 二进制模式，可以水平和/或垂直重复、镜像并叠加到三通道图像上，用于训练后门 DNN 模型。新的触发器分散在整个图像中，对各个像素产生微弱的扰动，但总体上具有很强的可识别模式来训练和激活 DNN 的后门。我们还通过分析发现，随着图像分辨率的提高，触发器越来越有效。使用 ResNet-18 和 MLP 模型在 MNIST、CIFAR-10 和 BTSR 数据集上进行实验。在不可察觉性方面，新触发器的性能优于现有触发器（例如 BadNets、Trojaned NN 和 Hidden Backdoor）一个数量级以上。新的触发器实现了几乎 100% 的攻击成功率，仅使分类精度降低了不到 0.7%–2.4%，并使最先进的防御技术失效。