Deep learning achieves outstanding results in many machine learning tasks. Nevertheless, it is vulnerable to backdoor attacks that modify the training set to embed a secret functionality in the trained model. The modified training samples have a secret property, i.e., a trigger. At inference time, the secret functionality is activated when the input contains the trigger, while the model functions correctly in other cases. While there are many known backdoor attacks (and defenses), deploying a stealthy attack is still far from trivial. Successfully creating backdoor triggers heavily depends on numerous parameters. Unfortunately, research has not yet determined which parameters contribute most to the attack performance. This paper systematically analyzes the most relevant parameters for the backdoor attacks, i.e., trigger size, position, color, and poisoning rate. Using transfer learning, which is very common in computer vision, we evaluate the attack on numerous state-of-the-art models (ResNet, VGG, AlexNet, and GoogLeNet) and datasets (MNIST, CIFAR10, and TinyImageNet). Our attacks cover the majority of backdoor settings in research, providing concrete directions for future works. Our code is publicly available to facilitate the reproducibility of our results.

翻译：深度学习在众多机器学习任务中取得了卓越的成果。然而，它容易受到后门攻击的影响，这种攻击通过修改训练集在训练完成的模型中嵌入隐秘功能。被修改的训练样本具有一个秘密属性，即触发器。在推理阶段，当输入包含触发器时，隐秘功能被激活，而在其他情况下模型则正常运作。尽管已有许多已知的后门攻击（及防御方法），实现隐蔽攻击仍然绝非易事。成功创建后门触发器在很大程度上依赖于众多参数。遗憾的是，现有研究尚未确定哪些参数对攻击性能贡献最大。本文系统性分析了后门攻击中最相关的参数，即触发器尺寸、位置、颜色及投毒率。我们采用计算机视觉中广泛使用的迁移学习方法，在众多最新模型（ResNet、VGG、AlexNet及GoogLeNet）和数据集（MNIST、CIFAR10及TinyImageNet）上评估了攻击效果。我们的攻击涵盖了当前研究中绝大多数后门设置场景，为未来工作提供了明确方向。我们已公开代码以促进实验结果的可复现性。