When a small number of poisoned samples are injected into the training dataset of a deep neural network, the network can be induced to exhibit malicious behavior during inferences, which poses potential threats to real-world applications. While they have been intensively studied in classification, backdoor attacks on semantic segmentation have been largely overlooked. Unlike classification, semantic segmentation aims to classify every pixel within a given image. In this work, we explore backdoor attacks on segmentation models to misclassify all pixels of a victim class by injecting a specific trigger on non-victim pixels during inferences, which is dubbed Influencer Backdoor Attack (IBA). IBA is expected to maintain the classification accuracy of non-victim pixels and misleads classifications of all victim pixels in every single inference. Specifically, we consider two types of IBA scenarios, i.e., 1) Free-position IBA: the trigger can be positioned freely except for pixels of the victim class, and 2) Long-distance IBA: the trigger can only be positioned somewhere far from victim pixels, given the possible practical constraint. Based on the context aggregation ability of segmentation models, we propose techniques to improve IBA for the scenarios. Concretely, for free-position IBA, we propose a simple, yet effective Nearest Neighbor trigger injection strategy for poisoned sample creation. For long-distance IBA, we propose a novel Pixel Random Labeling strategy. Our extensive experiments reveal that current segmentation models do suffer from backdoor attacks, and verify that our proposed techniques can further increase attack performance.

翻译：摘要：当深度神经网络的训练数据集中注入少量被污染样本时，网络可能在推理阶段表现出恶意行为，这对实际应用构成了潜在威胁。虽然后门攻击在分类任务中已被广泛研究，但在语义分割领域的相关研究却很大程度上被忽视。与分类不同，语义分割的目标是对给定图像中的每个像素进行分类。本文探索了针对分割模型的后门攻击，通过在推理阶段向非受害者类别像素注入特定触发器，诱导模型误分类受害者类别的所有像素，我们将这种攻击称为"影响者后门攻击"（IBA）。IBA旨在保持非受害者像素的分类准确性，同时误导每次推理中所有受害者像素的分类结果。具体而言，我们考虑了两种IBA场景：1）自由位置IBA：触发器可自由放置于除受害者类别像素以外的任何位置；2）长距离IBA：基于实际约束，触发器只能放置在远离受害者像素的某个位置。利用分割模型的上下文聚合能力，我们提出了针对这两种场景的改进技术。具体地，针对自由位置IBA，我们提出了一种简单而有效的最近邻触发器注入策略用于生成污染样本；针对长距离IBA，我们提出了一种新颖的像素随机标签策略。大量实验表明，当前分割模型确实易受后门攻击影响，且验证了我们提出的技术能进一步提升攻击性能。