Image camouflage has been utilized to create clean-label poisoned images for implanting backdoor into a DL model. But there exists a crucial limitation that one attack/poisoned image can only fit a single input size of the DL model, which greatly increases its attack budget when attacking multiple commonly adopted input sizes of DL models. This work proposes to constructively craft an attack image through camouflaging but can fit multiple DL models' input sizes simultaneously, namely OmClic. Thus, through OmClic, we are able to always implant a backdoor regardless of which common input size is chosen by the user to train the DL model given the same attack budget (i.e., a fraction of the poisoning rate). With our camouflaging algorithm formulated as a multi-objective optimization, M=5 input sizes can be concurrently targeted with one attack image, which artifact is retained to be almost visually imperceptible at the same time. Extensive evaluations validate the proposed OmClic can reliably succeed in various settings using diverse types of images. Further experiments on OmClic based backdoor insertion to DL models show that high backdoor performances (i.e., attack success rate and clean data accuracy) are achievable no matter which common input size is randomly chosen by the user to train the model. So that the OmClic based backdoor attack budget is reduced by M$\times$ compared to the state-of-the-art camouflage based backdoor attack as a baseline. Significantly, the same set of OmClic based poisonous attack images is transferable to different model architectures for backdoor implant.

翻译：图像伪装技术已被用于生成干净标签的 poisoned 图像，以向深度学习模型植入后门。然而现有方法存在关键缺陷：单个攻击/poisoned 图像仅能适配模型的一种输入尺寸，当需要攻击多种常用输入尺寸时，攻击成本将大幅增加。本文提出通过伪装技术构造性地生成可同时适配多种深度学习模型输入尺寸的攻击图像——OmClic（One-to-Multiple Clean-Label Image Camouflage）。基于该技术，在相同攻击预算（即固定投毒率）下，无论用户选择何种常用输入尺寸训练模型，我们都能够成功植入后门。通过将伪装算法建模为多目标优化问题，单个攻击图像可同时针对 M=5 种输入尺寸，且人工痕迹几乎完全不可见。大量实验验证表明，OmClic 在多种图像类型和不同设置下均能稳定生效。基于 OmClic 的后门植入进一步证明：无论用户随机选择何种常用输入尺寸训练模型，均可实现高后门性能（即高攻击成功率与干净数据准确率）。相较于基于伪装的 baseline 后门攻击，OmClic 后门攻击预算降低 M 倍。值得关注的是，同一组 OmClic 中毒攻击图像可迁移至不同模型架构实现后门植入。