Physical Backdoor: Towards Temperature-based Backdoor Attacks in the Physical World
0
❗
Sign in to get full access
Overview
- This paper investigates security vulnerabilities in thermal infrared object detection (TIOD) systems, which are commonly used in dark or temperature-sensitive environments where visible light object detection cannot effectively operate.
- The researchers introduce two novel types of backdoor attacks on TIOD systems: Object-affecting Attack and Range-affecting Attack.
- The paper analyzes key factors that influence the design of triggers for these backdoor attacks, including temperature, size, material, and concealment.
- Extensive experiments were conducted in both digital and physical environments, demonstrating the feasibility and effectiveness of these backdoor attacks on TIOD systems.
Plain English Explanation
Backdoor attacks are a security vulnerability where an attacker sneaks in a hidden "backdoor" that can be used to manipulate a system. This paper looks at how these types of attacks can target thermal infrared object detection (TIOD) systems, which are used in situations where regular camera-based object detection doesn't work well, like in the dark or in places with changing temperatures.
The researchers introduce two new ways to attack TIOD systems with backdoors. The first is an "Object-affecting Attack" that can make the system misidentify certain objects. The second is a "Range-affecting Attack" that can change how far away the system can detect objects.
The key to making these backdoor attacks work is carefully designing the "trigger" - a physical object or temperature change that activates the backdoor. The paper analyzes important factors like the temperature, size, material, and how hidden the trigger is. Understanding these factors is crucial for creating effective physical triggers and running experiments to test the attacks.
The researchers did extensive testing of their attacks, both digitally using TIOD datasets and physically using a thermal camera in real-world settings like intersections and parking lots. They were able to achieve attack success rates of up to 98% in both digital and physical environments.
Technical Explanation
This paper presents the first investigation into the security vulnerabilities of thermal infrared object detection (TIOD) systems in the context of backdoor attacks. The researchers introduce two novel attack types:
- Object-affecting Attack: This attack causes the TIOD system to misclassify a specific target object, such as identifying a person as a vehicle.
- Range-affecting Attack: This attack alters the detection range of the TIOD system, allowing an attacker to either expand or limit the distance at which objects are detected.
The paper conducts a comprehensive analysis of key factors that influence the design of effective backdoor triggers for TIOD systems, including temperature, size, material, and concealment. These factors, especially temperature, are shown to have a significant impact on the success of the backdoor attacks.
In the digital realm, the researchers evaluate their attacks using benchmark TIOD datasets, achieving an Attack Success Rate (ASR) of up to 98.21%. They then validate the attacks in two real-world physical settings - a traffic intersection and a parking lot - using a thermal infrared camera, reaching an ASR of up to 98.38%.
Critical Analysis
The paper provides a thorough investigation of backdoor attacks on TIOD systems, which is an important contribution given the increasing reliance on these systems in security-critical applications. The researchers' exploration of temperature as a key factor in trigger design is a valuable insight, as thermal characteristics can be challenging to control and monitor in real-world deployments.
However, the paper does not address potential countermeasures or defense strategies against these types of backdoor attacks. While the experiments demonstrate the feasibility of the attacks, more research is needed to develop effective detection and mitigation techniques. Additionally, the paper does not explore the ethical implications or societal impact of such vulnerabilities, which would be an important consideration for future work.
Conclusion
This paper presents groundbreaking research into the security vulnerabilities of thermal infrared object detection (TIOD) systems, which are widely used in various applications where traditional visible light object detection is not practical. The researchers introduce two novel backdoor attack types - Object-affecting Attack and Range-affecting Attack - and provide a comprehensive analysis of the key factors that influence the design of effective backdoor triggers, particularly the critical role of temperature.
The extensive experiments conducted in both digital and physical environments demonstrate the feasibility and high success rates of these backdoor attacks on TIOD systems. This work highlights the need for increased security measures and defense strategies to protect TIOD systems from such vulnerabilities, especially as they become more prevalent in security-critical applications. The findings of this paper serve as a important foundation for future research and development in this area.
This summary was produced with help from an AI and may contain inaccuracies - check out the links to read the original source documents!
Related Papers
❗
0
Physical Backdoor: Towards Temperature-based Backdoor Attacks in the Physical World
Wen Yin, Jian Lou, Pan Zhou, Yulai Xie, Dan Feng, Yuhua Sun, Tailai Zhang, Lichao Sun
Backdoor attacks have been well-studied in visible light object detection (VLOD) in recent years. However, VLOD can not effectively work in dark and temperature-sensitive scenarios. Instead, thermal infrared object detection (TIOD) is the most accessible and practical in such environments. In this paper, our team is the first to investigate the security vulnerabilities associated with TIOD in the context of backdoor attacks, spanning both the digital and physical realms. We introduce two novel types of backdoor attacks on TIOD, each offering unique capabilities: Object-affecting Attack and Range-affecting Attack. We conduct a comprehensive analysis of key factors influencing trigger design, which include temperature, size, material, and concealment. These factors, especially temperature, significantly impact the efficacy of backdoor attacks on TIOD. A thorough understanding of these factors will serve as a foundation for designing physical triggers and temperature controlling experiments. Our study includes extensive experiments conducted in both digital and physical environments. In the digital realm, we evaluate our approach using benchmark datasets for TIOD, achieving an Attack Success Rate (ASR) of up to 98.21%. In the physical realm, we test our approach in two real-world settings: a traffic intersection and a parking lot, using a thermal infrared camera. Here, we attain an ASR of up to 98.38%.
Read more5/1/2024
🔎
0
Towards Robust Physical-world Backdoor Attacks on Lane Detection
Xinwei Zhang, Aishan Liu, Tianyuan Zhang, Siyuan Liang, Xianglong Liu
Deep learning-based lane detection (LD) plays a critical role in autonomous driving systems, such as adaptive cruise control. However, it is vulnerable to backdoor attacks. Existing backdoor attack methods on LD exhibit limited effectiveness in dynamic real-world scenarios, primarily because they fail to consider dynamic scene factors, including changes in driving perspectives (e.g., viewpoint transformations) and environmental conditions (e.g., weather or lighting changes). To tackle this issue, this paper introduces BadLANE, a dynamic scene adaptation backdoor attack for LD designed to withstand changes in real-world dynamic scene factors. To address the challenges posed by changing driving perspectives, we propose an amorphous trigger pattern composed of shapeless pixels. This trigger design allows the backdoor to be activated by various forms or shapes of mud spots or pollution on the road or lens, enabling adaptation to changes in vehicle observation viewpoints during driving. To mitigate the effects of environmental changes, we design a meta-learning framework to train meta-generators tailored to different environmental conditions. These generators produce meta-triggers that incorporate diverse environmental information, such as weather or lighting conditions, as the initialization of the trigger patterns for backdoor implantation, thus enabling adaptation to dynamic environments. Extensive experiments on various commonly used LD models in both digital and physical domains validate the effectiveness of our attacks, outperforming other baselines significantly (+25.15% on average in Attack Success Rate). Our codes will be available upon paper publication.
Read more7/2/2024
0
DiffPhysBA: Diffusion-based Physical Backdoor Attack against Person Re-Identification in Real-World
Wenli Sun, Xinyang Jiang, Dongsheng Li, Cairong Zhao
Person Re-Identification (ReID) systems pose a significant security risk from backdoor attacks, allowing adversaries to evade tracking or impersonate others. Beyond recognizing this issue, we investigate how backdoor attacks can be deployed in real-world scenarios, where a ReID model is typically trained on data collected in the digital domain and then deployed in a physical environment. This attack scenario requires an attack flow that embeds backdoor triggers in the digital domain realistically enough to also activate the buried backdoor in person ReID models in the physical domain. This paper realizes this attack flow by leveraging a diffusion model to generate realistic accessories on pedestrian images (e.g., bags, hats, etc.) as backdoor triggers. However, the noticeable domain gap between the triggers generated by the off-the-shelf diffusion model and their physical counterparts results in a low attack success rate. Therefore, we introduce a novel diffusion-based physical backdoor attack (DiffPhysBA) method that adopts a training-free similarity-guided sampling process to enhance the resemblance between generated and physical triggers. Consequently, DiffPhysBA can generate realistic attributes as semantic-level triggers in the digital domain and provides higher physical ASR compared to the direct paste method by 25.6% on the real-world test set. Through evaluations on newly proposed real-world and synthetic ReID test sets, DiffPhysBA demonstrates an impressive success rate exceeding 90% in both the digital and physical domains. Notably, it excels in digital stealth metrics and can effectively evade state-of-the-art defense methods.
Read more5/31/2024
0
BadFusion: 2D-Oriented Backdoor Attacks against 3D Object Detection
Saket S. Chaturvedi, Lan Zhang, Wenbin Zhang, Pan He, Xiaoyong Yuan
3D object detection plays an important role in autonomous driving; however, its vulnerability to backdoor attacks has become evident. By injecting ''triggers'' to poison the training dataset, backdoor attacks manipulate the detector's prediction for inputs containing these triggers. Existing backdoor attacks against 3D object detection primarily poison 3D LiDAR signals, where large-sized 3D triggers are injected to ensure their visibility within the sparse 3D space, rendering them easy to detect and impractical in real-world scenarios. In this paper, we delve into the robustness of 3D object detection, exploring a new backdoor attack surface through 2D cameras. Given the prevalent adoption of camera and LiDAR signal fusion for high-fidelity 3D perception, we investigate the latent potential of camera signals to disrupt the process. Although the dense nature of camera signals enables the use of nearly imperceptible small-sized triggers to mislead 2D object detection, realizing 2D-oriented backdoor attacks against 3D object detection is non-trivial. The primary challenge emerges from the fusion process that transforms camera signals into a 3D space, compromising the association with the 2D trigger to the target output. To tackle this issue, we propose an innovative 2D-oriented backdoor attack against LiDAR-camera fusion methods for 3D object detection, named BadFusion, for preserving trigger effectiveness throughout the entire fusion process. The evaluation demonstrates the effectiveness of BadFusion, achieving a significantly higher attack success rate compared to existing 2D-oriented attacks.
Read more5/8/2024