Deep learning models have consistently outperformed traditional machine
learning models in various classification tasks, including image
classification. As such, they have become increasingly prevalent in many real
world applications including those where security is of great concern. Such
popularity, however, may attract attackers to exploit the vulnerabilities of
the deployed deep learning models and launch attacks against security-sensitive
applications. In this paper, we focus on a specific type of data poisoning
attack, which we refer to as a {\em backdoor injection attack}. The main goal
of the adversary performing such attack is to generate and inject a backdoor
into a deep learning model that can be triggered to recognize certain embedded
patterns with a target label of the attacker's choice. Additionally, a backdoor
injection attack should occur in a stealthy manner, without undermining the
efficacy of the victim model. Specifically, we propose two approaches for
generating a backdoor that is hardly perceptible yet effective in poisoning the
model. We consider two attack settings, with backdoor injection carried out
either before model training or during model updating. We carry out extensive
experimental evaluations under various assumptions on the adversary model, and
demonstrate that such attacks can be effective and achieve a high attack
success rate (above $90\%$) at a small cost of model accuracy loss (below
$1\%$) with a small injection rate (around $1\%$), even under the weakest
assumption wherein the adversary has no knowledge either of the original
training data or the classifier model.

本文介绍了一种特定类型的数据投毒攻击，即后门注入攻击，讨论了攻击者注入后门到深度学习模型中的方法，并提出了两种在不削弱受害者模型有效性的情况下，难以察觉但能实现模型毒化的后门生成方法。我们进行了广泛的实验评估，并证明即使在最弱的攻击者模型下，这种攻击可以在小的注入率（约为 1％）条件下实现高达 90％以上的攻击成功率。