Multi-target backdoor attacks pose significant security threats to deep neural networks, as they can preset multiple target classes through a single backdoor injection. This allows attackers to control the model to misclassify poisoned samples with triggers into any desired target class during inference, exhibiting superior attack performance compared with conventional backdoor attacks. However, existing multi-target backdoor attacks fail to guarantee trigger specificity and stealthiness in black-box settings, resulting in two main issues. First, they are unable to simultaneously target all classes when only training data can be manipulated, limiting their effectiveness in realistic attack scenarios. Second, the triggers often lack visual imperceptibility, making poisoned samples easy to detect. To address these problems, we propose a Spatial-based Full-target Invisible Backdoor Attack, called SFIBA. It restricts triggers for different classes to specific local spatial regions and morphologies in the pixel space to ensure specificity, while employing a frequency-domain-based trigger injection method to guarantee stealthiness. Specifically, for injection of each trigger, we first apply fast fourier transform to obtain the amplitude spectrum of clean samples in local spatial regions. Then, we employ discrete wavelet transform to extract the features from the amplitude spectrum and use singular value decomposition to integrate the trigger. Subsequently, we selectively filter parts of the trigger in pixel space to implement trigger morphology constraints and adjust injection coefficients based on visual effects. We conduct experiments on multiple datasets and models. The results demonstrate that SFIBA can achieve excellent attack performance and stealthiness, while preserving the model's performance on benign samples, and can also bypass existing backdoor defenses.

翻译：多目标后门攻击对深度神经网络构成严重安全威胁，其通过单次后门注入即可预设多个目标类别，使攻击者能在推理阶段控制模型将含触发器的中毒样本误分类至任意期望的目标类别，展现出优于传统后门攻击的性能。然而，现有多目标后门攻击在黑盒设置下无法保证触发器的特异性和隐蔽性，导致两个主要问题：首先，当仅能操纵训练数据时，这些攻击无法同时针对所有类别，限制了其在现实攻击场景中的有效性；其次，触发器往往缺乏视觉不可感知性，使得中毒样本易于被检测。为解决这些问题，我们提出一种基于空间位置的全目标隐形后门攻击方法，命名为SFIBA。该方法将不同类别的触发器限制在像素空间的特定局部空间区域与形态中以确保特异性，同时采用基于频域的触发器注入方法以保证隐蔽性。具体而言，针对每个触发器的注入，我们首先对局部空间区域的干净样本应用快速傅里叶变换以获取其幅度谱；接着利用离散小波变换从幅度谱中提取特征，并通过奇异值分解实现触发器的融合；随后在像素空间选择性过滤部分触发器以实现形态约束，并根据视觉效果调整注入系数。我们在多个数据集与模型上进行实验，结果表明SFIBA能实现优异的攻击性能与隐蔽性，同时保持模型在良性样本上的性能，并能有效规避现有后门防御机制。