WPDA: frequency-based backdoor attack with wavelet packet decomposition

This work explores backdoor attack, which is an emerging security threat against deep neural networks (DNNs). The adversary aims to inject a backdoor into the model by manipulating a portion of training samples, such that the backdoor could be activated by a particular trigger to make a target prediction at inference. Currently, existing backdoor attacks often require moderate or high poisoning ratios to achieve the desired attack performance, but making them susceptible to some advanced backdoor defenses ($e.g.$, poisoned sample detection). One possible solution to this dilemma is enhancing the attack performance at low poisoning ratios, which has been rarely studied due to its high challenge. To achieve this goal, we propose an innovative frequency-based backdoor attack via wavelet packet decomposition (WPD), which could finely decompose the original image into multiple sub-spectrograms with semantic information. It facilitates us to accurately identify the most critical frequency regions to effectively insert the trigger into the victim image, such that the trigger information could be sufficiently learned to form the backdoor. The proposed attack stands out for its exceptional effectiveness, stealthiness, and resistance at an extremely low poisoning ratio. Notably, it achieves the $98.12\%$ attack success rate on CIFAR-10 with an extremely low poisoning ratio of $0.004\%$ (i.e., only 2 poisoned samples among 50,000 training samples), and bypasses several advanced backdoor defenses. Besides, we provide more extensive experiments to demonstrate the efficacy of the proposed method, as well as in-depth analyses to explain its underlying mechanism.