A backdoor attack method based on target feature enhanced generative network

Backdoor attacks hinder the on-the-ground applications of neural networks. Attacks under the comprehensive privilege threat model have the privilege of accessing both data and models, posing serious security risks. However, existing attacks make inadequate use of the attacked model, making it difficult to guarantee the attack performance and robustness of the generated triggers. In this paper, we propose a backdoor attack method based on the target feature enhanced generative network. Specifically, we utilize the gradients of the attacked model on features of clean samples to weigh the features of the target class samples and introduce them into the decoder of the generative network to enhance the diversity and stealthiness of triggers. Besides, we design a three-phase backdoor model generation strategy to guarantee the validity of features fed into the encoder and the adaptability of the backdoor model to the generated triggers. Sufficient experiments on mainstream datasets and models demonstrate that the proposed method can achieve superior attack performance compared to the baselines, especially in stringent settings with low poisoning rates, and the trigger noise is also concealed. In addition, in the face of the mainstream backdoor defenses, the proposed method shows superior robustness and can still maintain satisfactory attack performance.