Invisible trigger image: A dynamic neural backdoor attack based on hidden feature

Neural backdoor is one of the most significant supply chain threat faced by deep neural networks (DNNs). A common attack method for implanting backdoors in DNNs involves injecting poisoned training data that contains triggers. Triggers are commonly categorized into pixel-level and feature-level triggers. Feature-level triggers typically offer higher stealthiness and robustness compared to pixel-level triggers, but may sometimes be less effective. Additionally, the current generation of feature-level triggers requires unrealistic capabilities from the attacker, such as to control the entire training process or directly manipulate the victim model. To address above challenges, we propose a novel dynamic neural backdoor attack using hidden features. We design a trigger generator with a multi-feature constraint algorithm to overlay hidden features onto clean images in an 'invisible' manner. The trigger generated by our method is dynamic, and the attacker does not need to control the entire training process or directly manipulate the victim model. Experiments show our method outperforms six existing attacks, achieving nearly 100% success with a low poisoning rate of 0.01 while maintaining high accuracy on clean samples. Additionally, it bypasses existing representative backdoor defenses, including three input-level and two model-level defenses.