English

PatchBackdoor: Backdoor Attack against Deep Neural Networks without Model Modification

Machine Learning 2023-08-24 v1 Cryptography and Security Computer Vision and Pattern Recognition

Abstract

Backdoor attack is a major threat to deep learning systems in safety-critical scenarios, which aims to trigger misbehavior of neural network models under attacker-controlled conditions. However, most backdoor attacks have to modify the neural network models through training with poisoned data and/or direct model editing, which leads to a common but false belief that backdoor attack can be easily avoided by properly protecting the model. In this paper, we show that backdoor attacks can be achieved without any model modification. Instead of injecting backdoor logic into the training data or the model, we propose to place a carefully-designed patch (namely backdoor patch) in front of the camera, which is fed into the model together with the input images. The patch can be trained to behave normally at most of the time, while producing wrong prediction when the input image contains an attacker-controlled trigger object. Our main techniques include an effective training method to generate the backdoor patch and a digital-physical transformation modeling method to enhance the feasibility of the patch in real deployments. Extensive experiments show that PatchBackdoor can be applied to common deep learning models (VGG, MobileNet, ResNet) with an attack success rate of 93% to 99% on classification tasks. Moreover, we implement PatchBackdoor in real-world scenarios and show that the attack is still threatening.

Keywords

Cite

@article{arxiv.2308.11822,
  title  = {PatchBackdoor: Backdoor Attack against Deep Neural Networks without Model Modification},
  author = {Yizhen Yuan and Rui Kong and Shenghao Xie and Yuanchun Li and Yunxin Liu},
  journal= {arXiv preprint arXiv:2308.11822},
  year   = {2023}
}

Comments

accepted by ACM MM 2023

R2 v1 2026-06-28T12:02:02.327Z