There have been several efforts in backdoor attacks, but these have primarily focused on the closed-set performance of classifiers (i.e., classification). This has left a gap in addressing the threat to classifiers' open-set performance, referred to as outlier detection in the literature. Reliable outlier detection is crucial for deploying classifiers in critical real-world applications such as autonomous driving and medical image analysis. First, we show that existing backdoor attacks fall short in affecting the open-set performance of classifiers, as they have been specifically designed to confuse intra-closed-set decision boundaries. In contrast, an effective backdoor attack for outlier detection needs to confuse the decision boundary between the closed and open sets. Motivated by this, in this study, we propose BATOD, a novel Backdoor Attack targeting the Outlier Detection task. Specifically, we design two categories of triggers to shift inlier samples to outliers and vice versa. We evaluate BATOD using various real-world datasets and demonstrate its superior ability to degrade the open-set performance of classifiers compared to previous attacks, both before and after applying defenses.

翻译：尽管已有多种后门攻击的研究，但这些工作主要关注分类器的闭集性能（即分类任务）。这导致在应对分类器开集性能（文献中常称为异常检测）面临的威胁方面存在研究空白。可靠的异常检测对于在自动驾驶和医学图像分析等关键现实应用中部署分类器至关重要。首先，我们证明现有后门攻击难以影响分类器的开集性能，因为它们的设计初衷是混淆闭集内部的决策边界。相比之下，针对异常检测的有效后门攻击需要混淆闭集与开集之间的决策边界。基于此动机，本研究提出BATOD——一种针对异常检测任务的新型后门攻击方法。具体而言，我们设计了两类触发器：将内点样本迁移为异常点，以及将异常点迁移为内点。我们使用多个真实数据集评估BATOD，结果表明相较于现有攻击方法，无论是在防御措施实施前后，BATOD在降低分类器开集性能方面均展现出更优越的能力。