Revolutionized by the transformer architecture, natural language processing
(NLP) has received unprecedented attention. While advancements in NLP models
have led to extensive research into their backdoor vulnerabilities, the
potential for these advancements to introduce new backdoor threats remains
unexplored. This paper proposes Imperio, which harnesses the language
understanding capabilities of NLP models to enrich backdoor attacks. Imperio
provides a new model control experience. It empowers the adversary to control
the victim model with arbitrary output through language-guided instructions.
This is achieved using a language model to fuel a conditional trigger
generator, with optimizations designed to extend its language understanding
capabilities to backdoor instruction interpretation and execution. Our
experiments across three datasets, five attacks, and nine defenses confirm
Imperio's effectiveness. It can produce contextually adaptive triggers from
text descriptions and control the victim model with desired outputs, even in
scenarios not encountered during training. The attack maintains a high success
rate across complex datasets without compromising the accuracy of clean inputs
and also exhibits resilience against representative defenses. The source code
is available at https://khchow.com/Imperio.

这篇论文通过使用语言理解能力提升后门攻击对抗技术，控制受害模型并产生期望输出，有效且具弹性地攻击复杂数据集。

Imperio: 通过语言指导的后门攻击实现任意模型控制

Imperio: Language-Guided Backdoor Attacks for Arbitrary Model Control

Recent studies revealed that deep neural networks (DNNs) are exposed to
backdoor threats when training with third-party resources (such as training
samples or backbones). The backdoored model has promising performance in
predicting benign samples, whereas its predictions can be maliciously
manipulated by adversaries based on activating its backdoors with pre-defined
trigger patterns. Currently, most of the existing backdoor attacks were
conducted on the image classification under the targeted manner. In this paper,
we reveal that these threats could also happen in object detection, posing
threatening risks to many mission-critical applications ($e.g.$, pedestrian
detection and intelligent surveillance systems). Specifically, we design a
simple yet effective poison-only backdoor attack in an untargeted manner, based
on task characteristics. We show that, once the backdoor is embedded into the
target model by our attack, it can trick the model to lose detection of any
object stamped with our trigger patterns. We conduct extensive experiments on
the benchmark dataset, showing its effectiveness in both digital and
physical-world settings and its resistance to potential defenses.

本研究发现在使用第三方资源训练深度神经网络时容易出现后门威胁，尤其对目标检测等关键应用程序造成威胁。通过无目标特点的简单而有效的毒药后门攻击，我们成功地将后门嵌入目标模型，这可以使模型无法检测到任何与我们的触发模式带有标记的物体。我们在基准数据集上进行了广泛的实验，表明这种方法在数字和现实世界的应用都非常有效，并且对潜在防御手段具有抵御力。