📄 中文摘要
深度学习在计算机视觉领域,包括图像分类、图像分割和目标检测等任务中取得了革命性进展。然而,深度学习模型的广泛部署也使其面临各种对抗性攻击,其中后门攻击尤为突出。提出了一种新颖的基于动态掩码的后门攻击方法,专门针对目标检测模型设计。该方法利用数据集投毒技术实现攻击。攻击通过在训练数据中嵌入恶意触发器来污染数据集,使得受感染的模型在遇到包含特定后门触发器的输入时,会输出攻击者预设的错误检测结果,而在正常输入下仍能保持其原始性能。与传统的固定模式后门攻击不同,动态掩码机制允许触发器在不同图像中以非固定、非显眼的方式存在,增加了攻击的隐蔽性和检测难度。具体来说,动态掩码可以根据图像内容调整其位置、大小和透明度,使其与背景融合得更好,从而降低被肉眼或现有后门防御机制识别的概率。这种动态性使得攻击更难以被察觉,因为触发器不再是简单的静态图案,而是能够自适应地伪装。实验以蘑菇检测为例,验证了该攻击方法的有效性。结果表明,在少量投毒数据的情况下,训练出的目标检测模型在遇到包含动态掩码触发器的图像时,能够以高置信度地错误识别目标(例如,将无毒蘑菇识别为有毒,或将非蘑菇区域识别为特定蘑菇),同时在正常数据集上的检测精度几乎不受影响。这证实了动态掩码后门攻击在目标检测任务中的强大隐蔽性和攻击能力,对视觉AI系统的安全性提出了新的挑战。
📄 English Summary
Dynamic Mask-Based Backdoor Attack Against Vision AI Models: A Case Study on Mushroom Detection
Deep learning has revolutionized numerous tasks within the computer vision field, including image classification, image segmentation, and object detection. However, the increasing deployment of deep learning models has exposed them to various adversarial attacks, including backdoor attacks. A novel dynamic mask-based backdoor attack method is presented, specifically designed for object detection models. The attack exploits a dataset poisoning technique by embedding malicious triggers into the training data. This ensures that the compromised model, when encountering inputs containing specific backdoor triggers, will output attacker-predetermined erroneous detection results, while maintaining its original performance on normal inputs. Unlike traditional fixed-pattern backdoor attacks, the dynamic mask mechanism allows the trigger to exist in different images in a non-fixed, inconspicuous manner, increasing the attack's stealthiness and detection difficulty. Specifically, the dynamic mask can adjust its position, size, and transparency according to the image content, allowing it to blend better with the background, thereby reducing the probability of being identified by human eyes or existing backdoor defense mechanisms. This dynamic nature makes the attack more difficult to detect, as the trigger is no longer a simple static pattern but can adaptively camouflage itself. The effectiveness of this attack method is validated through a case study on mushroom detection. Experimental results demonstrate that with a small amount of poisoned data, the trained object detection model can confidently misidentify targets (e.g., classifying non-toxic mushrooms as toxic, or non-mushroom regions as specific mushrooms) when encountering images containing dynamic mask triggers, while its detection accuracy on normal datasets remains almost unaffected. This confirms the powerful stealth and attack capability of dynamic mask backdoor attacks in object detection tasks, posing new challenges to the security of vision AI systems.