The study explores backdoor attacks on deep neural networks-based image classification. The attacker aims to insert a backdoor into the model by manipulating training data. Current data poisoning-based attacks struggle to achieve success at low poisoning ratios. The researchers propose a frequency-based backdoor attack using Wavelet Packet Decomposition (WPD), which decomposes the original image signal into a spectrogram that contains frequency information with different semantic meanings. The method includes the selection of the poisoning frequency regions in spectrogram, trigger generation, and the generation of the poisoned dataset. The method proved to be stealthy and precise with a 98.12% Attack Success Rate on CIFAR-10 with an extremely low poisoning ratio.
Publication date: 26 Jan 2024
Project Page: Not provided
Paper: https://arxiv.org/pdf/2401.13578