Backdoor attacks are recognized as a significant security threat to deep learning. Such attacks can induce models to perform abnormally with inputs that contain predefined triggers, while maintaining state-of-the-art (SOTA) performance on clean data. Research indicates that existing backdoor attacks in the spatial domain have the problems of poor stealthiness and limited effectiveness. Based on the dispersion of adding perturbations in the frequency domain and the idea that multiple frequency-domain transformations can achieve different levels of feature fusion, we propose a dual-frequency-domain transformation backdoor attack method called DFDT (dual-frequency-domain transformation). DFDT executes dual-frequency-domain transformation on both clean samples and a trigger image, then conducts feature fusion in the frequency domain to augment the stealthiness of the poisoned samples. In addition, we introduce regularization samples to reduce the latent separability of clean and poisoned samples. We thoroughly evaluate the DFDT on three image datasets: CIFAR-10, GTSRB, and CIFAR-100. The experimental results show that the DFDT achieves greater stealthiness and effectiveness, achieving an attack success rate (ASR) that approximates 100% and a benign accuracy (BA) nearing 94%. Furthermore, we illustrate that DFDT can successfully evade state-of-the-art defenses, including STRIP, NC, and I-BAU.
Cao et al. (Tue,) studied this question.