Current black-box backdoor attacks in convolutional neural networks formulate attack objective(s) as single-objective optimization problems in single domain. Designing triggers in single domain harms semantics and trigger robustness as well as introduces visual and spectral anomaly. This work proposes a multi-objective black-box backdoor attack in dual domains via evolutionary algorithm (LADDER), the first instance of achieving multiple attack objectives simultaneously by optimizing triggers without requiring prior knowledge about victim model. In particular, we formulate LADDER as a multi-objective optimization problem (MOP) and solve it via multi-objective evolutionary algorithm (MOEA). MOEA maintains a population of triggers with trade-offs among attack objectives and uses non-dominated sort to drive triggers toward optimal solutions. We further apply preference-based selection to MOEA to exclude impractical triggers. We state that LADDER investigates a new dual-domain perspective for trigger stealthiness by minimizing the anomaly between clean and poisoned samples in the spectral domain. Lastly, the robustness against preprocessing operations is achieved by pushing triggers to low-frequency regions. Extensive experiments comprehensively showcase that LADDER achieves attack effectiveness of at least 99%, attack robustness with 90.23% (50.09% higher than state-of-the-art attacks on average), superior natural stealthiness (1.12x to 196.74x improvement) and excellent spectral stealthiness (8.45x enhancement) as compared to current stealthy attacks by the average $l_2$-norm across 5 public datasets.

翻译：当前卷积神经网络中的黑盒后门攻击将攻击目标表述为单领域内的单目标优化问题。在单一领域设计触发器会损害语义与触发器鲁棒性，并引入视觉与频谱异常。本研究提出一种基于进化算法的双领域多目标黑盒后门攻击方法（LADDER），首次实现在无需受害者模型先验知识的情况下，通过优化触发器同时达成多个攻击目标。具体而言，我们将LADDER构建为多目标优化问题，并通过多目标进化算法进行求解。该算法维护具有攻击目标间权衡关系的触发器种群，并利用非支配排序驱动触发器逼近最优解。我们进一步在算法中引入基于偏好的选择机制以排除不实用的触发器。LADDER通过最小化干净样本与污染样本在频谱域中的异常，开创了从双领域视角研究触发器隐蔽性的新范式。最后，通过将触发器推至低频区域实现了针对预处理操作的鲁棒性。在5个公开数据集上的大量实验综合表明：与当前主流隐蔽攻击相比，LADDER在平均$l_2$范数指标下实现了至少99%的攻击成功率、90.23%的攻击鲁棒性（平均优于现有最优攻击50.09%）、卓越的自然隐蔽性（提升1.12至196.74倍）以及优异的频谱隐蔽性（提升8.45倍）。