TENSOR EU Project

Part of EU Open Research Repository
Published February 28, 2025 | Version v1
Conference paper Open

LADDER: Multi-objective Backdoor Attack via Evolutionary Algorithm

Authors/Creators

  • 1. ROR icon Delft University of Technology

Description

Abstract—Current black-box backdoor attacks in convolutional neural networks formulate attack objective(s) as singleobjective optimization problems in single domain. Designing triggers in single domain harms semantics and trigger robustness as well as introduces visual and spectral anomaly. This work proposes a multi-objective black-box backdoor attack in dual domains via evolutionary algorithm (LADDER), the first instance of achieving multiple attack objectives simultaneously by optimizing triggers without requiring prior knowledge about victim model. In particular, we formulate LADDER as a multiobjective optimization problem (MOP) and solve it via multiobjective evolutionary algorithm (MOEA). MOEA maintains a population of triggers with trade-offs among attack objectives and uses non-dominated sort to drive triggers toward optimal solutions. We further apply preference-based selection to MOEA to exclude impractical triggers. LADDER investigates a new dualdomain perspective for trigger stealthiness by minimizing the anomaly between clean and poisoned samples in the spectral domain. Lastly, the robustness against preprocessing operations is achieved by pushing triggers to low-frequency regions. Extensive experiments comprehensively showcase that LADDER achieves attack effectiveness of at least 99%, attack robustness with 90.23% (50.09% higher than state-of-the-art attacks on average), superior natural stealthiness (1.12× to 196.74× improvement) and excellent spectral stealthiness (8.45× enhancement) as compared to current stealthy attacks by the average l2-norm across 5 public datasets.

Files

2025-1061-paper.pdf

Files (3.6 MB)

Name Size Download all
md5:d16c31f30b8daf746cbf610fe33772bf
3.6 MB Preview Download

Additional details

Identifiers

URL
https://www.ndss-symposium.org/ndss-paper/ladder-multi-objective-backdoor-attack-via-evolutionary-algorithm/
ISBN
979-8-9894372-8-3

Funding

European Commission
TENSOR - Reliable biomeTric tEhNologies to asSist Police authorities in cOmbating terrorism and oRganized crime 101073920
European Commission
TANGO - Digital Technologies ActiNg as a Gatekeeper to information and data flOws 101070052
European Commission
REWIRE - REWiring the ComposItional Security VeRification and AssurancE of Systems of Systems Lifecycle 101070627
European Commission
MLSysOps - Machine Learning for Autonomic System Operation in the Heterogeneous Edge-Cloud Continuum 101092912
European Commission
SafeHorizon - Innovations in Detecting and Disrupting Crime-as-a-Service Operations 101168562

References

  • G.Abad, O.Ersoy, S. Picek, and A.Urbieta, "Sneaky Spikes: Uncovering Stealthy Backdoor Attacks in Spiking Neural Networks with Neuromorphic Data," in Network and Distributed System Security Symposium,2024
  • N.Ahmed, T.Natarajan, and K.Rao, "Discrete Cosine Transform," IEEE Transactions on Computers,vol.C-23, no.1,pp.90–93,1974
  • S.-i.Amari, "Back propagation and Stochastic Gradient Descent Method," Neurocomputing, vol. 5, no. 4-5, pp. 185–196,1993.
  • M.Barni, K.Kallas, and B. Tondi, "A new Backdoor Attack in CNNs by Training Set Corruption without Label Poisoning," in IEEE International Conference on Image Processing,2019,pp.101–105.
  • M. Bojarski, D. Del Testa, D. Dworakowski, B. Firner, B. Flepp, P. Goyal, L. D. Jackel, M. Monfort, U. Muller, J. Zhang, X. Zhang, and J. Zhao, "End-to-End Learning for Self-Driving Cars," arXiv preprint arXiv:1604.07316, 2016.
  • G. J. Burton and I. R. Moorhead, "Color and Spatial Structure in Natural Scenes," Applied Optics, vol. 26, no. 1, pp. 157–170, 1987.
  • B. Chen, W. Carvalho, N. Baracaldo, H. Ludwig, B. Edwards, T. Lee, I. Molloy, and B. Srivastava, "Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering," arXiv preprint arXiv:1811.03728, 2018
  • H. Chen, C. Fu, J. Zhao, and F. Koushanfar, "DeepInspect: A Black-box Trojan Detection and Mitigation Framework for Deep Neural Networks," in Proceedings of the International Joint Conference on Artificial Intelligence, 2019, pp. 4658–4664.
  • X. Chen, C. Liu, B. Li, K. Lu, and D. Song, "Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning," arXiv preprint arXiv:1712.05526, 2017.
  • S. Cheng, Y. Liu, S. Ma, and X. Zhang, "Deep Feature Space Trojan Attack of Neural Networks by Controlled Detoxification," in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 35, no. 2, 2021, pp. 11481156.
  • I. Cox, J. Kilian, F. Leighton, and T. Shamoon, "Secure Spread Spectrum Watermarking for Multimedia," IEEE Transactions on Image Processing, vol. 6, no. 12, pp. 1673–1687, 1997
  • K. Deb, A. Pratap, S. Agarwal, and T. Meyarivan, "A Fast and Elitist Multiobjective Genetic Algorithm: NSGA-II," IEEE Transactions on Evolutionary Computation, vol. 6, no. 2, pp. 182–197, 2002.
  • K. Deb and R. B. Agrawal, "Simulated Binary Crossover for Continuous Search Space," Complex System, vol. 9, 1995.
  • K. Deb and M. Goyal, "A Combined Genetic Adaptive Search (GeneAS) for Engineering Design," Computer Science and Informatics, vol. 26, pp. 30–45, 1996
  • K. Doan, Y. Lao, and P. Li, "Backdoor Attack with Imperceptible Input and Latent Modification," Advances in Neural Information Processing Systems, vol. 34, pp. 18944–18957, 2021.
  • K. Doan, Y. Lao, W. Zhao, and P. Li, "Lira: Learnable, Imperceptible and Robust Backdoor Attacks," in Proceedings of the IEEE/CVF International Conference on Computer Vision, 2021, pp. 11966–11976
  • K. D. Doan, Y. Lao, and P. Li, "Marksman Backdoor: Backdoor Attacks with Arbitrary Target Class," Advances in Neural Information Processing Systems, vol. 35, pp. 38260–38273, 2022.
  • A. Dosovitskiy, L. Beyer, A. Kolesnikov, D. Weissenborn, X. Zhai, T. Unterthiner, M. Dehghani, M. Minderer, G. Heigold, S. Gelly, J. Uszkoreit, and N. Houlsby, "An Image is Worth 16x16 Words: Transformers for Image Recognition at Scale," in International Conference on Learning Representations, 2021.
  • A. Esteva, B. Kuprel, R. A. Novoa, J. Ko, S. M. Swetter, H. M. Blau, and S. Thrun, "Dermatologist-level Classification of Skin Cancer with Deep Neural Networks," Nature, vol. 542, no. 7639, pp. 115–118, 2017.
  • Y. Feng, B. Ma, J. Zhang, S. Zhao, Y. Xia, and D. Tao, "Fiba: Frequency-injection based Backdoor Attack in Medical Image Analysis," in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022, pp. 20876–20885.
  • K. Gao, Y. Bai, J. Gu, Y. Yang, and S.-T. Xia, "Backdoor defense via adaptively splitting poisoned dataset," in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2023, pp. 4005–4014.
  • Y. Gao, C. Xu, D. Wang, S. Chen, D. C. Ranasinghe, and S. Nepal, "Strip: A Defence Against Trojan Attacks on Deep Neural Networks," in Proceedings of the Annual Computer Security Applications Conference, 2019, pp. 113–125.
  • Y. Gao, H. Chen, P. Sun, J. Li, A. Zhang, Z. Wang, and W. Liu, "A Dual Stealthy Backdoor: From both Spatial and Frequency Perspectives," in Proceedings of the AAAI Conference on Artificial Intelligence, vol. 38, no. 3, 2024, pp. 1851–1859.
  • T. Gu, B. Dolan-Gavitt, and S. Garg, "Badnets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain," arXiv preprint arXiv:1708.06733, 2017.
  • C. Guo, J. S. Frank, and K. Q. Weinberger, "Low Frequency Adversarial Perturbation," in Uncertainty in Artificial Intelligence, 2020, pp. 1127–1137.
  • H. A. A. K. Hammoud and B. Ghanem, "Check Your Other Door! Creating Backdoor Attacks in the Frequency Domain," arXiv preprint arXiv:2109.05507, 2021.
  • K. He, X. Zhang, S. Ren, and J. Sun, "Deep Residual Learning for Image Recognition," in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2016, pp. 770–778.
  • R. Hou, T. Huang, H. Yan, L. Ke, and W. Tang, "A Stealthy and Robust Backdoor Attack via Frequency Domain Transform," World Wide Web, pp. 1–17, 2023.
  • S. Houben, J. Stallkamp, J. Salmen, M. Schlipsing, and C. Igel, "Detection of Traffic Signs in Real-World Images: The German Traffic Sign Detection Benchmark," in Proceedings of the International Joint Conference on Neural Networks, 2013, pp. 1–8.
  • K. Huang, Y. Li, B. Wu, Z. Qin, and K. Ren, "Backdoor Defense via Decoupling the Training Process," in International Conference on Learning Representations, 2022.
  • B. J¨ahne, Digital Image Processing. Springer Science & Business Media, 2005.
  • W. Jiang, H. Li, G. Xu, and T. Zhang, "Color Backdoor: A Robust Poisoning Attack in Color Space," in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2023, pp. 8133–8142.
  • C. Knaus and M. Zwicker, "Dual-Domain Image De-noising," in IEEE International Conference on Image Processing, 2013, pp. 440–444.
  • S. Kolouri, A. Saha, H. Pirsiavash, and H. Hoffmann, "Universal Litmus Patterns: Revealing Backdoor Attacks in CNNs," in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2020, pp. 301–310.
  • A. Krizhevsky and G. Hinton, "Learning Multiple Layers of Features from Tiny Images," 2009.
  • J. Lan, J. Wang, B. Yan, Z. Yan, and E. Bertino, "Flowmur: A stealthy and practical audio backdoor attack with limited knowledge," in IEEE Symposium on Security and Privacy, 2024, pp. 1646–1664.
  • Y. Le and X. Yang, "Tiny ImageNet Visual Recognition Challenge," CS 231N, vol. 7, no. 7, p. 3, 2015.
  • B. Li and W. Liu, "A Theoretical Analysis of Backdoor Poisoning Attacks in Convolutional Neural Networks," in International Conference on Machine Learning, 2024, pp. 8296–8316.
  • S. Li, M. Xue, B. Z. H. Zhao, H. Zhu, and X. Zhang, "Invisible backdoor attacks on deep neural networks via steganography and regularization," IEEE Transactions on Dependable and Secure Computing, vol. 18, pp. 20882105, 2019.
  • Y. Li, X. Lyu, N. Koren, L. Lyu, B. Li, and X. Ma, "Neural Attention Distillation: Erasing Backdoor Triggers from Deep Neural Networks," in International Conference on Learning Representations, 2021.
  • Y. Li, T. Zhai, B. Wu, Y. Jiang, Z. Li, and S. Xia, "Rethinking the Trigger of Backdoor Attack," arXiv preprint arXiv:2004.04692, 2020.
  • Y. Li, Y. Li, B. Wu, L. Li, R. He, and S. Lyu, "Invisible Backdoor Attack with Sample-Specific Triggers," in Proceedings of the IEEE/CVF International Conference on Computer Vision, 2021, pp. 16463–16472.
  • D. Liu and Y. Qiao, "Artifacts of LADDER: Multi-objective Backdoor Attack via Evolutionary Algorithm," https://github.com/dzhliu/LADDER, 2024.
  • D. Liu, Y. Qiao, R. Wang, K. Liang, and G. Smaragdakis, "LADDER: Multi-objective Backdoor Attack via Evolutionary Algorithm," 2024. [Online]. Available: https://arxiv.org/abs/2411.19075
  • K. Liu, B. Dolan-Gavitt, and S. Garg, "Fine-Pruning: Defending against Backdooring Attacks on Deep Neural Networks," in International Symposium on Research in Attacks, Intrusions, and Defenses, 2018, pp. 273–294.
  • Y. Liu, X. Ma, J. Bailey, and F. Lu, "Reflection Backdoor: A Natural Backdoor Attack on Deep Neural Networks," in European Conference on Computer Vision, 2020, pp. 182–199.
  • Z. Liu, P. Luo, X. Wang, and X. Tang, "Deep Learning Face Attributes in the Wild," in Proceedings of the IEEE/CVF International Conference on Computer Vision, 2015, pp. 3730–3738.
  • P. Lv, C. Yue, R. Liang, Y. Yang, S. Zhang, H. Ma, and K. Chen, "A Data-free Backdoor Injection Approach in Neural Networks," in USENIX Security Symposium, 2023, pp. 2671–2688.
  • Y. Netzer, T. Wang, A. Coates, A. Bissacco, B. Wu, and A. Y. Ng, "Reading Digits in Natural Images with Unsupervised Feature Learning," in Neural Information Processing Systems Workshop on Deep Learning and Unsupervised Feature Learning, 2011.
  • T. A. Nguyen and A. Tran, "Input-Aware Dynamic Backdoor Attack," in Advances in Neural Information Processing Systems, vol. 33, 2020, pp. 3454–3464.
  • T. A. Nguyen and A. T. Tran, "WaNet- Imperceptible Warping-based Backdoor Attack," in International Conference on Learning Representations, 2021.
  • K. O'shea and R. Nash, "An Introduction to Convolutional Neural Networks," arXiv preprint arXiv:1511.08458, 2015.
  • A. Paszke, S. Gross, F. Massa, A. Lerer, J. Bradbury, G. Chanan, T. Killeen, Z. Lin, N. Gimelshein, L. Antiga, A. Desmaison, A. K¨ opf, E. Yang, Z. DeVito, M. Raison, A. Tejani, S. Chilamkurthy, B. Steiner, L. Fang, J. Bai, and C. Soumith, "Pytorch: An Imperative Style, High Performance Deep Learning Library," Advances in Neural Information Processing Systems, vol. 32, pp. 80268037, 2019.
  • X. Qiao, Y. Yang, and H. Li, "Defending Neural Backdoors via Generative Distribution Modeling," Advances in Neural Information Processing Systems, vol. 32, pp. 14027–14036, 2019.
  • H. Qiu, Y. Zeng, S. Guo, T. Zhang, M. Qiu, and B. Thuraisingham, "Deepsweep: An Evaluation Framework for Mitigating DNN Backdoor Attacks using Data Augmentation," in Proceedings of the ACM Asia Conference on Computer and Communications Security, 2021, pp. 363377.
  • A. Saha, A. Subramanya, and H. Pirsiavash, "Hidden Trigger Backdoor Attacks," in Proceedings of the AAAI Cconference on Artificial Intelligence, vol. 34, no. 07, 2020, pp. 11957–11965.
  • A. Salem, R. Wen, M. Backes, S. Ma, and Y. Zhang, "Dynamic Backdoor Attacks against Machine Learning Models," in IEEE European Symposium on Security and Privacy, 2022, pp. 703–718.
  • R. R. Selvaraju, M. Cogswell, A. Das, R. Vedantam, D. Parikh, and D. Batra, "Grad-CAM: Visual Explanations from Deep Networks via Gradient-Based Localization," in Proceedings of the IEEE/CVF International Conference on Computer Vision, 2017, pp. 618–626
  • Y. Sharma, G. W. Ding, and M. A. Brubaker, "On the Effectiveness of Low Frequency Perturbations," in Proceedings of the International Joint Conference on Artificial Intelligence, 2019, pp. 3389–3396.
  • Y. Shi, M. Du, X. Wu, Z. Guan, J. Sun, and N. Liu, "Black-box Backdoor Defense via Zero-shot Image Purification," in Advances in Neural Information Processing Systems, 2023, pp. 57336–57366.
  • K. Simonyan and A. Zisserman, "Very Deep Convolutional Networks for Large-Scale Image Recognition," in International Conference on Learning Representations, 2015.
  • C. Szegedy, W. Liu, Y. Jia, P. Sermanet, S. Reed, D. Anguelov, D. Erhan, V. Vanhoucke, and A. Rabinovich, "Going Deeper with Convolutions," in Proceedings of the IEEE/CVF Conference on Computer Vision andPatternRecognition,2015,pp.1–9.
  • T.J.L.Tan and R.Shokri, "Bypassing Backdoor Detection Algorithms in Deep Learning," in IEEE European Symposium on Security and Privacy,2020,pp.175–183.
  • D.J.Tolhurst, Y.Tadmor, and T.Chao, "Amplitude Spectra of Natural Images," Ophthalmic and Physiological Optics,pp.229–232,1992.
  • B. Tran, J. Li, and A. Madry, "Spectral Signatures in Backdoor Attacks," Advances in Neural Information Processing Systems,vol.31,pp.8011–8021,2018.
  • B.Wang,Y.Yao,S.Shan,H.Li,B.Viswanath,H.Zheng, and B.Y.Zhao, "Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks," in IEEE Symposium on Security and Privacy,2019,pp.707–723.
  • R.Wang,H.Chen, Z. Zhu, L. Liu, andB.Wu, "VersatileBackdoorAttackwithVisible,Semantic,SampleSpecific, and Compatible Triggers," arXiv preprint arXiv:2306.00816,2023.
  • T.Wang, Y.Yao, F.Xu, S.An, H.Tong, and T.Wang, "An invisible Black-box Backdoor Attack through Frequency Domain," in European Conference on Computer Vision,2022,pp.396–413.
  • Z.Wang,D.Liu,S.Chang,Q.Ling,Y.Yang,andT.S. Huang,"D3:DeepDual-DomainBasedFastRestoration of JPEG-Compressed Images," in Proceedings of the IEEE/CVFConferenceonComputerVisionandPattern Recognition,2016,pp.2764–2772.
  • Y.Zeng,M.Pan,H.A.Just,L.Lyu,M.Qiu,andR.Jia, "Narcissus: APractical Clean-Label Backdoor Attack withLimitedInformation," inProceedingsof theACM SIGSACConferenceonComputerandCommunications Security,2023,pp.771–785.
  • Y.Zeng, W.Park, Z.M.Mao, and R.Jia, "Rethinking the Backdoor Attacks' Triggers: A Frequency Perspective," in Proceedings of the IEEE/CVFInternationalConferenceonComputerVision,2021,pp.16473–16481.
  • J.Zhang, J.Chi, Z.Li, K.Cai, Y.Zhang, and Y.Tian, "Badmerging: Backdoor Attacks against Model Merging," arXivpreprintarXiv:2408.07362,2024
  • R. Zhang, P. Isola, A. A. Efros, E. Shechtman, and O. Wang, "The Unreasonable Effectiveness of Deep Featuresasa Perceptual Metric," in Proceedings of the IEEE/CVFConferenceonComputerVisionandPattern Recognition,2018,pp.586–595.
  • Z.Zhang, Q.Liu, Z.Wang, Z.Lu, and Q.Hu ,"Backdoor Defense via Deconfounded Representation Learning," in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition,2023,pp.12228–12238
  • Z. Zhao, X. Chen, Y. Xuan, Y. Dong, D.Wang, and K. Liang, "DEFEAT: Deep Hidden Feature Backdoor Attacks by Imperceptible Perturbation and Latent Representation Constraints," in Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022,pp.15213–15222.
  • N.Zhong, Z.Qian,and X.Zhang, "Imperceptible Backdoor Attack: From Input Space to Feature Representation," in Proceedings of the International Joint Conference on Artificial Intelligence,2022,pp.1736–1742.
  • M. Zhu, S.Wei, H. Zha, and B.Wu, "Neural Polarizer: A Lightweight and Effective Backdoor Defense via Purifying Poisoned Features," in Advances in Neural Information Processing Systems,vol.36,2023,pp.11321153.