BABE: Backdoor attack with bokeh effects via latent separation suppression

Abstract

The escalating menace of backdoor attacks constitutes a formidable obstacle to the ongoing advancement of deep neural networks (DNNs), particularly in the security-sensitive applications such as face recognition and self-driving. Backdoored models render deliberately incorrect predictions on the inputs with the crafted triggers while behaving normally with the benign ones. Despite demonstrating the varying degrees of threat, existing backdoor attack strategies often prioritize stealthiness and defense evasions but neglect the practical feasibility in the real-world deployment scenarios. In this paper, we develop a backdoor attack leveraging bokeh effects ($BABE$), which introduces the bokeh effects as the trigger. Once the backdoored model is deployed in the vision application, the model’s malicious behaviors can be activated only by utilizing the captured bokeh images without any other modifications. Specially, we employ the saliency and depth estimation maps to derive the bokeh images, thereby serving as the poisoned samples. Furthermore, to avoid the latent separation of the generated poisoned images, we propose distinct attack strategies on the basis of the adversary’s prior abilities. For the adversary only with the data manipulation, we retain the original semantic labels for a subset of poisoned data during the training process. For the adversary with the manipulation of both the data and models, we construct a reference model trained on the clean samples to impose constraints on the latent representations of the poisoned images. Extensive experiments demonstrate the attack effects of the proposed $BABE$, even on the bokeh photos captured from Digital Still Cameras (DSC) and smartphones.