Untargeted Backdoor Attack Against Deep Neural Networks With Imperceptible Trigger

Recent research works have demonstrated that deep neural networks (DNNs) are vulnerable to backdoor attacks. The existing backdoor attacks can only cause targeted misclassification on backdoor instances, which makes them can be easily detected by defense methods. In this article, we propose an untargeted backdoor attack (UBA) against DNNs, where the backdoor instances are randomly misclassified by the backdoored model to any incorrect label. To achieve the goal of UBA, we propose to utilize autoencoder as the trigger generation model and train the target model and the autoencoder simultaneously. We also propose a special loss function (Evasion Loss) to train the autoencoder and the target model, in order to make the target model predict backdoor instances as random incorrect classes. During the inference stage, the trained autoencoder is used to generate backdoor instances. For different backdoor instances, the generated triggers are different and the corresponding predicted labels are random incorrect labels. Experimental results demonstrate that the proposed UBA is effective. On the ResNet-18 model, the attack success rate (ASR) of the proposed UBA is 96.48%, 91.27%, and 90.83% on CIFAR-10, GTSRB, and ImageNet datasets, respectively. On the VGG-16 model, the ASR of the proposed UBA is 89.72% and 97.78% on CIFAR-10 and ImageNet datasets, respectively. Moreover, the proposed UBA is robust against existing backdoor defense methods, which are designed to detect targeted backdoor attacks. We hope this article can promote the research of corresponding backdoor defense works.