DFB: A Data-Free, Low-Budget, and High-EfficacyClean-Label Backdoor Attack
摘要
With the continuous advancement of machine learning, backdoor attacks have become significant security concerns. These attacks embed malicious triggers into models, allowing them to function normally under standard conditions but causing them to exhibit malicious behavior when triggered. In backdoor attacks, accurately labeling injected data is essential for evading basic detection mechanisms. Clean-label backdoor attacks achieve this goal by preserving the correct labels while embedding imperceptible triggers. However, they typically require access to the victim’s training dataset, which is often unattainable due to the decentralized nature of data collection. This limitation significantly restricts the real-world applicability of these attacks. To overcome the limitations of the existing clean-label attacks, we propose DFB, which is a data-free, low-budget, and high-efficacy backdoor attack. DFB requires only target-class knowledge, eliminating the need for access to victim datasets. By leveraging POOD data to generate ’hard-to-learn’ target features, which the model effectively learns, we inject minimal samples to launch the attack. Experiments conducted on CIFAR-10, Tiny-ImageNet, and TSRD show that DFB achieves superior attack success rates with minimal poisoning rates (0.1%, 0.025%, and 0.5%), significantly outperforming LC, HTBA, BadNets, and Blend. Furthermore, our findings reveal that DFB poses a formidable challenge to four established backdoor defense algorithms, indicating its potential for use as a robust tool in advanced clean-label attack strategies.