Poison-only Clean-label Backdoor Attacks aim to covertly inject attacker-desired behavior into DNNs by merely poisoning the dataset without changing the labels. To effectively implant a backdoor, multiple \textbf{triggers} are proposed for various attack requirements of Attack Success Rate (ASR) and stealthiness. Additionally, sample selection enhances clean-label backdoor attacks' ASR by meticulously selecting ``hard'' samples instead of random samples to poison. Current methods 1) usually handle the sample selection and triggers in isolation, leading to severely limited improvements on both ASR and stealthiness. Consequently, attacks exhibit unsatisfactory performance on evaluation metrics when converted to PCBAs via a mere stacking of methods. Therefore, we seek to explore the bidirectional collaborative relations between the sample selection and triggers to address the above dilemma. 2) Since the strong specificity within triggers, the simple combination of sample selection and triggers fails to substantially enhance both evaluation metrics, with generalization preserved among various attacks. Therefore, we seek to propose a set of components to significantly improve both stealthiness and ASR based on the commonalities of attacks. Specifically, Component A ascertains two critical selection factors, and then makes them an appropriate combination based on the trigger scale to select more reasonable ``hard'' samples for improving ASR. Component B is proposed to select samples with similarities to relevant trigger implanted samples to promote stealthiness. Component C reassigns trigger poisoning intensity on RGB colors through distinct sensitivity of the human visual system to RGB for higher ASR, with stealthiness ensured by sample selection, including Component B. Furthermore, all components can be strategically integrated into diverse PCBAs.

翻译：纯毒化清洁标签后门攻击旨在仅通过毒化数据集而不改变标签的方式，将攻击者期望的行为隐蔽地注入深度神经网络中。为有效植入后门，研究者针对攻击成功率与隐蔽性的不同需求提出了多种**触发器**。此外，样本选择通过精心挑选“困难”样本而非随机样本进行毒化，提升了清洁标签后门攻击的攻击成功率。现有方法存在以下局限：1）通常孤立处理样本选择与触发器设计，导致攻击成功率与隐蔽性的提升严重受限。当仅通过简单堆叠方法将其转化为纯毒化清洁标签后门攻击时，攻击在评估指标上表现欠佳。因此，我们致力于探索样本选择与触发器之间的双向协同关系以解决上述困境。2）由于触发器存在强特异性，样本选择与触发器的简单组合难以在保持各类攻击间泛化能力的同时，显著提升两项评估指标。为此，我们试图基于攻击的共性提出一套能同时显著提升隐蔽性与攻击成功率的组件。具体而言，组件A通过确定两个关键选择因子，并依据触发器规模将其适当组合，以选择更合理的“困难”样本来提升攻击成功率。组件B通过选取与已植入相关触发器的样本具有相似性的样本，以增强攻击隐蔽性。组件C基于人类视觉系统对RGB颜色的差异敏感性，重新分配RGB通道的触发器毒化强度，在通过样本选择（含组件B）确保隐蔽性的同时实现更高的攻击成功率。此外，所有组件均可策略性地集成到各类纯毒化清洁标签后门攻击中。