The backdoor attack poses a new security threat to deep neural networks. Existing backdoor often relies on visible universal trigger to make the backdoored model malfunction, which are not only usually visually suspicious to human but also catchable by mainstream countermeasures. We propose an imperceptible sample-specific backdoor that the trigger varies from sample to sample and invisible. Our trigger generation is automated through a desnoising autoencoder that is fed with delicate but pervasive features (i.e., edge patterns per images). We extensively experiment our backdoor attack on ImageNet and MS-Celeb-1M, which demonstrates stable and nearly 100% (i.e., 99.8%) attack success rate with negligible impact on the clean data accuracy of the infected model. The denoising autoeconder based trigger generator is reusable or transferable across tasks (e.g., from ImageNet to MS-Celeb-1M), whilst the trigger has high exclusiveness (i.e., a trigger generated for one sample is not applicable to another sample). Besides, our proposed backdoored model has achieved high evasiveness against mainstream backdoor defenses such as Neural Cleanse, STRIP, SentiNet and Fine-Pruning.

翻译：后门攻击对深度神经网络构成了新的安全威胁。现有后门攻击通常依赖可见的通用触发模式来使被植入后门的模型失效，但这些触发不仅在视觉上容易引起注意，还可能被主流防御措施检测到。我们提出了一种不可察觉的样本特定后门，其触发模式随样本变化且不可见。通过将精细但普遍存在的特征（即每张图像的边缘模式）输入去噪自编码器，可自动生成触发模式。我们在ImageNet和MS-Celeb-1M数据集上进行了广泛实验，结果表明该方法能实现稳定且接近100%（即99.8%）的攻击成功率，同时对被感染模型的干净数据准确率影响微乎其微。基于去噪自编码器的触发生成器可跨任务重用或迁移（例如从ImageNet迁移至MS-Celeb-1M），且触发模式具有高度排他性（即为一个样本生成的触发不适用于另一个样本）。此外，我们提出的后门模型能有效规避主流后门防御方法（如Neural Cleanse、STRIP、SentiNet和Fine-Pruning）。