EFFICIENT ANY-TARGET BACKDOOR ATTACK WITH PSEUDO POISONED SAMPLES

Deep neural networks present their potential vulnerabilities to backdoor attacks. They have a satisfactory performance for benign users with clean samples but will get malicious outputs when inputs are attached with the backdoor trigger. Current backdoor attacks on image classifiers usually target only one single class, making them not robust to defenses against this characteristic. In this work, we propose a new any-target attack that targets all the labels simultaneously with the triggers being invisible and input-dependent. Specifically, we train the classifier together with the image steganography model by encoding the one-hot encodings into the input images. The novel pseudo poisoned samples are then introduced to improve the effectiveness of our backdoor attack. Experimental results show that our method is both effective and efficient on several datasets and is robust to existing defenses.