0
0.1
0.2
0.3
0.4
0.5
0.6
0.7
0.8
0.9
1
0 100 200 300 400
PoisonedSourceAccuracy
NumberofPoisoningImages
invisible(none)
invisible(TVM)
adversarial(none)
adversarial(TVM)
existing(none)
existing(TVM)
Figure 5: Poisoned source accuracy for the poisoned model
with/without TVM defense against attackers unaware of de-
fenses.
posed attacks, which generate adaptive triggers, are
more robust than the existing method against the in-
put transformation-based defense. Additionally, if the
attacker is aware of the defense and uses transformed
images to generate poison, the attack is more likely to
succeed.
5 CONCLUSION
We propose a fully hidden dynamic trigger backdoor
attack where the trigger is invisible during both test-
ing and training. Our algorithm dynamically gen-
erates invisible triggers without flipping labels or
changing the victim’s model. Experimental results
verified the superiority of the proposed algorithms in
terms of invisibility and attack success rate. To pre-
vent fully hidden dynamic trigger backdoor attacks in
practice, adaptive defensive methods are essential.
REFERENCES
Barni, M., Kallas, K., and Tondi, B. (2019). A new back-
door attack in cnns by training set corruption without
label poisoning. In 2019 IEEE International Confer-
ence on Image Processing (ICIP), pages 101–105.
Biggio, B., Corona, I., Maiorca, D., Nelson, B.,
ˇ
Srndi
´
c,
N., Laskov, P., Giacinto, G., and Roli, F. (2013).
Evasion attacks against machine learning at test
time. In Machine Learning and Knowledge Discov-
ery in Databases, pages 387–402, Berlin, Heidelberg.
Springer Berlin Heidelberg.
Biggio, B., Nelson, B., and Laskov, P. (2012). Poisoning
attacks against support vector machines.
Chen, X., Liu, C., Li, B., Lu, K., and Song, D. (2017). Tar-
geted backdoor attacks on deep learning systems us-
ing data poisoning.
Esteva, A., Robicquet, A., Ramsundar, B., Kuleshov, V.,
DePristo, M., Chou, K., Cui, C., Corrado, G., Thrun,
S., and Dean, J. (2019). A guide to deep learning in
healthcare. Nature Medicine, 25(1):24–29.
Fowl, L., Goldblum, M., Chiang, P.-y., Geiping, J., Czaja,
W., and Goldstein, T. (2021). Adversarial examples
make strong poisons.
Goodfellow, I. J., Shlens, J., and Szegedy, C. (2014). Ex-
plaining and harnessing adversarial examples.
Grigorescu, S., Trasnea, B., Cocias, T., and Macesanu,
G. (2020). A survey of deep learning techniques
for autonomous driving. Journal of Field Robotics,
37(3):362–386.
Gu, T., Dolan-Gavitt, B., and Garg, S. (2017). Bad-
nets: Identifying vulnerabilities in the machine learn-
ing model supply chain.
Guo, C., Rana, M., Cisse, M., and van der Maaten, L.
(2017). Countering adversarial images using input
transformations.
Huang, Y. and Chen, Y. (2020). Autonomous driving with
deep learning: A survey of state-of-art technologies.
Koh, P. W., Steinhardt, J., and Liang, P. (2018). Stronger
data poisoning attacks break data sanitization de-
fenses.
Krizhevsky, A., Sutskever, I., and Hinton, G. E. (2012). Im-
agenet classification with deep convolutional neural
networks. In Advances in Neural Information Pro-
cessing Systems, volume 25. Curran Associates, Inc.
Kurakin, A., Goodfellow, I., and Bengio, S. (2016). Adver-
sarial examples in the physical world.
Li, S., Xue, M., Zhao, B. Z. H., Zhu, H., and Zhang, X.
(2021a). Invisible backdoor attacks on deep neural
networks via steganography and regularization. IEEE
Transactions on Dependable and Secure Computing,
18(5):2088–2105.
Li, Y., Li, Y., Wu, B., Li, L., He, R., and Lyu, S. (2021b). In-
visible backdoor attack with sample-specific triggers.
In Proceedings of the IEEE/CVF International Con-
ference on Computer Vision (ICCV), pages 16463–
16472.
Liao, C., Zhong, H., Squicciarini, A. C., Zhu, S., and
Miller, D. J. (2018). Backdoor embedding in convo-
lutional neural network models via invisible perturba-
tion. CoRR, abs/1808.10307.
Madry, A., Makelov, A., Schmidt, L., Tsipras, D., and
Vladu, A. (2017). Towards deep learning models re-
sistant to adversarial attacks.
Minaee, S., Abdolrashidi, A., Su, H., Bennamoun, M., and
Zhang, D. (2019). Biometrics recognition using deep
learning: A survey.
Mu
˜
noz Gonz
´
alez, L., Biggio, B., Demontis, A., Paudice, A.,
Wongrassamee, V., Lupu, E. C., and Roli, F. (2017).
Towards Poisoning of Deep Learning Algorithms with
Back-Gradient Optimization, page 27–38. Associa-
tion for Computing Machinery, New York, NY, USA.
Ning, R., Li, J., Xin, C., and Wu, H. (2021). Invisible poi-
son: A blackbox clean label backdoor attack to deep
neural networks. In IEEE INFOCOM 2021 - IEEE
Conference on Computer Communications, pages 1–
10.
ICAART 2023 - 15th International Conference on Agents and Artificial Intelligence
90