Backdoor attacks embed hidden associations between triggers and targets in deep neural networks (DNNs), causing them to predict the target when a trigger is present while maintaining normal behavior otherwise. Physical backdoor attacks, which use physical objects as triggers, are feasible but lack remote control, temporal stealthiness, flexibility, and mobility. To overcome these limitations, in this work, we propose a new type of backdoor triggers utilizing lasers that feature long-distance transmission and instant-imaging properties. Based on the laser-based backdoor triggers, we present a physical backdoor attack, called LaserGuider, which possesses remote control ability and achieves high temporal stealthiness, flexibility, and mobility. We also introduce a systematic approach to optimize laser parameters for improving attack effectiveness. Our evaluation on traffic sign recognition DNNs, critical in autonomous vehicles, demonstrates that LaserGuider with three different laser-based triggers achieves over 90% attack success rate with negligible impact on normal inputs. Additionally, we release LaserMark, the first dataset of real world traffic signs stamped with physical laser spots, to support further research in backdoor attacks and defenses.
翻译:后门攻击在深度神经网络(DNNs)中嵌入了触发器与目标之间的隐藏关联,导致网络在触发器存在时预测目标,而在其他情况下保持正常行为。使用物理对象作为触发器的物理后门攻击虽然可行,但缺乏远程控制能力、时间隐蔽性、灵活性和移动性。为克服这些限制,本研究提出一种利用激光的新型后门触发器,其具备远距离传输和瞬时成像特性。基于这种激光后门触发器,我们提出了一种名为LaserGuider的物理后门攻击,该攻击拥有远程控制能力,并实现了高度的时间隐蔽性、灵活性和移动性。我们还引入了一种系统化方法来优化激光参数,以提高攻击有效性。我们在对自动驾驶汽车至关重要的交通标志识别DNNs上进行的评估表明,配备三种不同激光触发器的LaserGuider实现了超过90%的攻击成功率,且对正常输入的影响可忽略不计。此外,我们发布了LaserMark数据集,这是首个包含真实世界交通标志上物理激光光斑标记的数据集,以支持后门攻击与防御的进一步研究。