Web-scraped datasets are vulnerable to data poisoning, which can be used for
backdooring deep image classifiers during training. Since training on large
datasets is expensive, a model is trained once and re-used many times. Unlike
adversarial examples, backdoor attacks often target specific classes rather
than any class learned by the model. One might expect that targeting many
classes through a naive composition of attacks vastly increases the number of
poison samples. We show this is not necessarily true and more efficient,
universal data poisoning attacks exist that allow controlling
misclassifications from any source class into any target class with a small
increase in poison samples. Our idea is to generate triggers with salient
characteristics that the model can learn. The triggers we craft exploit a
phenomenon we call inter-class poison transferability, where learning a trigger
from one class makes the model more vulnerable to learning triggers for other
classes. We demonstrate the effectiveness and robustness of our universal
backdoor attacks by controlling models with up to 6,000 classes while poisoning
only 0.15% of the training dataset.

训练大规模数据集很昂贵，因此一种模型仅训练一次并多次使用。我们展示了一种更高效的通用数据中毒攻击方法，通过少量的中毒样本，可以控制从任意源类到任意目标类的误分类。我们的触发器利用了一种称为跨类中毒可转移性的现象，从而使模型对其他类别的触发器更易受攻击。我们通过仅中毒训练数据集的 0.15％来控制高达 6,000 个类的模型的有效性和鲁棒性。