Convolutional neural networks (CNNs) excel in tasks such as image, speech, and video recognition, as well as pattern analysis. However, their reliance on large training datasets, often sourced from third-party providers, exposes them to security risks, particularly poisoning attacks. Targeted poisoning attacks, also known as backdoor attacks, enable a CNN model to correctly classify normal data while misclassifying inputs containing specific triggers. In contrast, untargeted poisoning attacks aim to degrade the overall performance of the model. This research introduces an invisible targeted poisoning attack characterized by low implementation complexity and high computational efficiency due to its computationally inexpensive LSB-based embedding mechanism, without requiring complex optimization procedures against a basic CNN model and a residual network (ResNet-18) model. By embedding trigger images within poisoned samples, the attack remains covert, evading detection. The model is then trained on a dataset comprising both original and poisoned samples. The expected outcome is that the model will classify regular images correctly, but will misclassify those containing the embedded trigger as belonging to a target class. Experimental results on the CIFAR-10 dataset demonstrate the effectiveness of this approach, achieving a 99.32% Adversarial Success Rate (ASR) against ResNet-18 with only a 0.02% reduction in accuracy on benign test samples.
Aloraini et al. (Mon,) studied this question.