Stealthy Backdoor Attack in SAR Target Recognition With ASCM-Based Physically Realizable Triggers

Abstract

Deep neural networks (DNNs) are extensively employed in synthetic aperture radar (SAR) automatic target recognition (ATR) systems; however, their security and reliability pose significant challenges in this high-risk domain. While considerable efforts have been made to address the vulnerability of DNNs to adversarial attacks, the SAR ATR community has not yet devoted substantial resources to investigating the newly emerging security risks associated with backdoor attacks, which are more threatening because of their attack flexibility, high stealthiness, and versatile attack modes. To investigate backdoor attacks in SAR ATR, we present an innovative method named ASCM-based physical backdoor attack (AMPBA), which generates a physically realizable trigger with clear electromagnetic characteristics and physical attributes based on the attributed scattering center model (ASCM). Specifically, the AMPBA embeds the trigger into limited training samples to produce a poisoned training dataset; after that, training of a DNN-based classifier would inject into it a stealthy backdoor that can be activated by the trigger (either digitally mimicking that of training or physically in practice for real-time attacks). To further enhance the threat level and practicability of the proposed AMPBA, we additionally propose a backdoor attack strategy called low-intensity training and high-intensity inference (LTHI), which utilizes low-intensity triggers during training to maximize stealthiness and high-intensity triggers during inference for enhanced attack performance. Extensive experiments based on the representative MSTAR dataset validate the effectiveness, stealthiness, and robustness of our AMPBA, which, alternatively, highlight the importance of designing effective backdoor defense mechanisms for high-risk applications.