Backdoor Attacks using the Concepts as a Trigger

Abstract

Backdoor attacks are a type of attack against machine learning models. The backdoored model classifies input into the wrong class if the input contains certain triggers (e.g., noise or patterns). In this paper, we propose a backdoor attack using concepts as triggers to clarify the vulnerabilities that machine learning models suffer from and to develop a discussion on increasing the security of machine learning models. The concepts are interpretable attributes contained in a sample. For example, attributes such as hair color and smile are concepts of facial images. In existing research, most triggers are assumed to be artificially generated patterns that do not appear in the physical world. In addition, such poisoning samples look natural and stealthy. In our experiments, we demonstrate that the concept can be leveraged as a trigger by evaluating the attack success rate of the proposed method and its tolerance against existing defense methods.