Poisoning efficiency plays a critical role in poisoning-based backdoor attacks. To evade detection, attackers aim to use the fewest poisoning samples while achieving the desired attack strength. Although efficient triggers have significantly improved poisoning efficiency, there is still room for further enhancement. Recently, selecting efficient samples has shown promise, but it often requires a proxy backdoor injection task to identify an efficient poisoning sample set. However, the proxy attack-based approach can lead to performance degradation if the proxy attack settings differ from those used by the actual victims due to the shortcut of backdoor learning. This paper presents a Proxy attack-Free Strategy (PFS) designed to identify efficient poisoning samples based on individual similarity and ensemble diversity, effectively addressing the mentioned concern. The proposed PFS is motivated by the observation that selecting the to-be-poisoned samples with high similarity between clean samples and their corresponding poisoning samples results in significantly higher attack success rates compared to using samples with low similarity. Furthermore, theoretical analyses for this phenomenon are provided based on the theory of active learning and neural tangent kernel. We comprehensively evaluate the proposed strategy across various datasets, triggers, poisoning rates, architectures, and training hyperparameters. Our experimental results demonstrate that PFS enhances backdoor attack efficiency, while also exhibiting a remarkable speed advantage over prior proxy-dependent selection methodologies.

翻译：投毒效率在基于投毒的后门攻击中至关重要。为逃避检测，攻击者旨在使用最少的投毒样本实现预期攻击强度。尽管高效触发器显著提升了投毒效率，但仍存在进一步优化的空间。近期研究表明，选取高效样本具有潜力，但通常需要借助代理后门注入任务来识别高效投毒样本集。然而，由于后门学习的捷径特性，若代理攻击设置与实际受害者采用的设置不同，基于代理攻击的方法可能导致性能退化。本文提出一种无代理攻击策略（PFS），通过个体相似性与集成多样性识别高效投毒样本，有效解决了上述问题。该策略的动机源于以下观察：选择原始样本与对应投毒样本间相似度较高的待投毒样本，相较于使用低相似度样本，可显著提升攻击成功率。此外，本文基于主动学习理论与神经正切核，为该现象提供了理论分析。我们在多种数据集、触发器、投毒率、架构及训练超参数下全面评估了所提策略。实验结果表明，PFS不仅增强了后门攻击效率，还相较于先前依赖代理的选样方法展现出显著的速率优势。