In a backdoor attack, an adversary injects corrupted data into a model's training dataset in order to gain control over its predictions on images with a specific attacker-defined trigger. A typical corrupted training example requires altering both the image, by applying the trigger, and the label. Models trained on clean images, therefore, were considered safe from backdoor attacks. However, in some common machine learning scenarios, the training labels are provided by potentially malicious third-parties. This includes crowd-sourced annotation and knowledge distillation. We, hence, investigate a fundamental question: can we launch a successful backdoor attack by only corrupting labels? We introduce a novel approach to design label-only backdoor attacks, which we call FLIP, and demonstrate its strengths on three datasets (CIFAR-10, CIFAR-100, and Tiny-ImageNet) and four architectures (ResNet-32, ResNet-18, VGG-19, and Vision Transformer). With only 2% of CIFAR-10 labels corrupted, FLIP achieves a near-perfect attack success rate of 99.4% while suffering only a 1.8% drop in the clean test accuracy. Our approach builds upon the recent advances in trajectory matching, originally introduced for dataset distillation.

翻译：在后门攻击中，攻击者将篡改数据注入模型的训练数据集，以控制其对包含特定攻击者定义触发器的图像的预测。典型的篡改训练样本需要同时修改图像（通过施加触发器）和标签。因此，在干净图像上训练的模型被认为能够抵御后门攻击。然而，在常见的机器学习场景中，训练标签可能由潜在的恶意第三方提供，这包括众包标注和知识蒸馏。为此，我们研究了一个基本问题：能否仅通过篡改标签来发起成功的后门攻击？我们提出了一种名为FLIP的新型标签唯一后门攻击方法，并在三个数据集（CIFAR-10、CIFAR-100和Tiny-ImageNet）和四种架构（ResNet-32、ResNet-18、VGG-19和Vision Transformer）上展示了其优势。仅通过篡改2%的CIFAR-10标签，FLIP即可实现近乎完美的99.4%攻击成功率，而干净测试精度仅下降1.8%。我们的方法基于最初为数据集蒸馏提出的轨迹匹配技术的最新进展。