CASSOCK: Viable Backdoor Attacks against DNN in the Wall of Source-Specific Backdoor Defenses

Shang Wang, Yansong Gao, Anmin Fu, Zhi Zhang, Yuqing Zhang, Willy Susilo, Dongxi Liu

Research output: Chapter in Book/Conference paperConference paperpeer-review

5 Citations (Scopus)

Abstract

As a critical threat to deep neural networks (DNNs), backdoor attacks can be categorized into two types, i.e., source-agnostic backdoor attacks (SABAs) and source-specific backdoor attacks (SSBAs). Compared to traditional SABAs, SSBAs are more advanced in that they have superior stealthier in bypassing mainstream countermeasures that are effective against SABAs. Nonetheless, existing SSBAs suffer from two major limitations. First, they can hardly achieve a good trade-off between ASR (attack success rate) and FPR (false positive rate). Besides, they can be effectively detected by the state-of-the-art (SOTA) countermeasures (e.g., SCAn [40]). To address the limitations above, we propose a new class of viable source-specific backdoor attacks coined as CASSOCK. Our key insight is that trigger designs when creating poisoned data and cover data in SSBAs play a crucial role in demonstrating a viable source-specific attack, which has not been considered by existing SSBAs. With this insight, we focus on trigger transparency and content when crafting triggers for poisoned dataset where a sample has an attacker-targeted label and cover dataset where a sample has a ground-truth label. Specifically, we implement CASSOCKTrans that designs a trigger with heterogeneous transparency to craft poisoned and cover datasets, presenting better attack performance than existing SSBAs. We also propose CASSOCKCont that extracts salient features of the attacker-targeted label to generate a trigger, entangling the trigger features with normal features of the label, which is stealthier in bypassing the SOTA defenses. While both CASSOCKTrans and CASSOCKCont are orthogonal, they are complementary to each other, generating a more powerful attack, called CASSOCKComp, with further improved attack performance and stealthiness. To demonstrate their viability, we perform a comprehensive evaluation of the three CASSOCK-based attacks on four popular datasets (i.e., MNIST, CIFAR10, GTSRB and LFW) and three SOTA defenses (i.e., extended Neural Cleanse [45], Februus [8], and SCAn [40]). Compared with a representative SSBA as a baseline (SSBABase), CASSOCK-based attacks have significantly advanced the attack performance, i.e., higher ASR and lower FPR with comparable CDA (clean data accuracy). Besides, CASSOCK-based attacks have effectively bypassed the SOTA defenses, and SSBABase cannot.

Original languageEnglish
Title of host publicationASIA CCS 2023 - Proceedings of the 2023 ACM Asia Conference on Computer and Communications Security
Place of PublicationNew York, USA
PublisherAssociation for Computing Machinery (ACM)
Pages938-950
Number of pages13
ISBN (Electronic)9798400700989
DOIs
Publication statusPublished - Jul 2023
Event18th ACM ASIA Conference on Computer and Communications Security, ASIA CCS 2023 - Melbourne, Australia
Duration: 10 Jul 202314 Jul 2023

Publication series

NameProceedings of the ACM Conference on Computer and Communications Security
ISSN (Print)1543-7221

Conference

Conference18th ACM ASIA Conference on Computer and Communications Security, ASIA CCS 2023
Country/TerritoryAustralia
CityMelbourne
Period10/07/2314/07/23

Fingerprint

Dive into the research topics of 'CASSOCK: Viable Backdoor Attacks against DNN in the Wall of Source-Specific Backdoor Defenses'. Together they form a unique fingerprint.

Cite this