A4 Refereed article in a conference publication
Low-Frequency Black-Box Backdoor Attack via Evolutionary Algorithm
Authors: Qiao, Yanqi; Liu, Dazhuang; Wang, Rui; Liang, Kaitai
Editors: N/A
Conference name: IEEE Workshop on Applications of Computer Vision (WACV)
Publisher: IEEE COMPUTER SOC
Publication year: 2025
Journal: IEEE Winter Conference on Applications of Computer Vision
Book title : 2025 IEEE/CVF Winter Conference on Applications of Computer Vision (WACV)
Series title: IEEE Winter Conference on Applications of Computer Vision
First page : 7582
Last page: 7592
ISBN: 979-8-3315-1084-8
eISBN: 979-8-3315-1083-1
ISSN: 1550-5790
eISSN: 2642-9381
DOI: https://doi.org/10.1109/WACV61041.2025.00737
Publication's open availability at the time of reporting: No Open Access
Publication channel's open availability : No Open Access publication channel
Web address : https://ieeexplore.ieee.org/document/10944093
Convolutional Neural Networks (CNNs) that have excelled in diverse computer vision tasks are vulnerable to backdoor attacks, enabling attacker-controlled predictions via specific triggers. Restricted to spatial domains, recent research exploits perceptual traits by embedding triggers in the frequency domain, yielding pixel-level indistinguishable perturbations. In black-box settings, restricted access to model and training process necessitates advanced trigger designs. Current frequency-based attacks manipulate magnitude spectra, introducing discrepancies between clean and poisoned data, though vulnerable to common image processing operations like compression and filtering.In this paper, we propose a robust low-frequency backdoor attack (LFBA) in black-box setup that minimally perturbs spectrum components and maintains the perceptual similarity in spatial space simultaneously. Our methodology capitalizes on the insight that optimal triggers can be located in low-frequency regions to maximize attack effectiveness, robustness against image transformation operations, and stealthiness in dual space. To effectively explore the discrete frequency space, we utilize simulated annealing (SA), a form of evolutionary algorithm, to optimize the properties of trigger including the frequency bands to be manipulated and the perturbation of each band under restricted attack scenario. Extensive experiments on both CNNs and Vision Transformers (ViT) confirm the effectiveness and robustness of LFBA against image processing operations and state-of-the-art backdoor defenses. Furthermore, LFBA exhibits inherent stealthiness in both spatial and frequency spaces, making it resistant to human and frequency inspection.
