Backdoor attacks have been one of the emerging security threats to deep neural networks (DNNs), leading to serious consequences. One of the mainstream backdoor defenses is model reconstruction-based. Such defenses adopt model unlearning or pruning to eliminate backdoors. However, little attention has been paid to survive from such defenses. To bridge the gap, we propose Venom, the first generic backdoor attack enhancer to improve the survivability of existing backdoor attacks against model reconstruction-based defenses. We formalize Venom as a binary-task optimization problem. The first is the original backdoor attack task to preserve the original attack capability, while the second is the attack enhancement task to improve the attack survivability. To realize the second task, we propose attention imitation loss to force the decision path of poisoned samples in backdoored models to couple with the crucial decision path of benign samples, which makes backdoors difficult to eliminate. Our extensive evaluation on two DNNs and three datasets has demonstrated that Venom significantly improves the survivability of eight state-of-the-art attacks against eight state-of-the-art defenses without impacting the capability of the original attacks.

翻译：后门攻击已成为深度神经网络（DNNs）新兴的安全威胁之一，可能导致严重后果。当前主流防御方法之一是基于模型重构的，这类防御通过模型遗忘或剪枝来消除后门。然而，针对如何从这类防御中存活的关注甚少。为填补这一空白，我们提出Venom——首个通用型后门攻击增强器，用于提升现有后门攻击对抗模型重构类防御的存活性。我们将Venom形式化为一个二元任务优化问题：第一个是原始后门攻击任务，用于保持原始攻击能力；第二个是攻击增强任务，用于提升攻击存活性。为实现第二个任务，我们提出注意力模仿损失，迫使后门模型中中毒样本的决策路径与良性样本的关键决策路径耦合，从而使后门难以被消除。我们在两个DNN架构和三个数据集上的大量评估表明，Venom能够在不影响原始攻击能力的前提下，显著提升八种顶尖后门攻击对抗八种主流防御方法的存活性。