隨著人工智慧模型的進步，一系列針對不同應用領域的後門攻擊逐漸被提出。 目前對後門攻擊的研究主要集中在不同領域的攻擊者如何設計有效的觸發器。然而，通過在訓練樣本中嵌入觸發器來毒害訓練集的後門攻擊的研究中，經常採用的方法是隨機選擇樣本進行毒害。 通過選擇更容易被感染的樣本，可以顯著提高後門攻擊的成功率和隱蔽性。 我們提出了目標樣本算法，它是一個選擇樣本植入的策略，並通過實驗證明，在最有利的情況下，這個選擇策略將可以使後門攻擊的效率可以提高一倍以上。 重要的是，這種方法不需要在觸發器的設計中進行額外的優化。

With the advancement of artificial intelligence models, a series of backdoor attacks for different application domains have gradually been proposed. Current research on backdoor attacks mainly focuses on how attackers in different fields design effective triggers. However, in the study of backdoor attacks that poison the training set by embedding triggers in training samples, the often-used method is to randomly select samples for poisoning. By choosing samples that are easier to infect, the success rate and stealthiness of backdoor attacks can be significantly improved. We propose a Target Algorithm, which is a strategy for choosing samples to implant, and through experiments, we demonstrate that, in the most favorable situations, this selection strategy can more than double the efficiency of backdoor attacks. Importantly, this method does not require additional optimization in the design of triggers.

[1] J. BELL, “What is machine learning?.” Machine Learning and the City: Applications in Architecture and Urban Design:207-216., 2020.
[2] e. a. MOH’D ALI, Mahmood Asad, “Transforming business decision making with
internet of things (iot) and machine learning (ml).” Proc. IEEE DASA, 2020.
[3] S.-H. Morteza-HAMZEHI, “Business intelligence using machine learning algorithms.” Multimedia Tools and Applications, 2022.
[4] e. a. Sandy-HUANG, “Adversarial attacks on neural network policies.” arXiv
preprint arXiv:1702.02284, 2017.
[5] G.-D. Raphael-Labaca-CASTRO, Corinna-SCHMITT, “Aimed: Evolving malware with genetic programming to evade detection.” Proc. IEEE TrustCom, 2019.
[6] e. a. KUMAR, Siva-Ram-Shankar, “Adversarial machine learning-industry perspectives.” Proc. IEEE SPW, 2020.
[7] e. a. SHAN, Shawn, “Traceback of data poisoning attacks in neural networks.”
arXiv preprint arXiv:2110.06904, 2021.
[8] e. a. Yiming-LI, “Backdoor learning: A survey.” IEEE Transactions on Neural
Networks and Learning Systems, 2022.
[9] N. PAPERNOT, “A marauder’s map of security and privacy in machine learning.”
arXiv preprint arXiv:1811.01134, 2018.
[10] S.-J. KOH, Wei-Pang and Liang-Percy., “Stronger data poisoning attacks break
data sanitization defenses.” Mach Learn, 2022.
[11] e. a. DONG, Yinpeng, “Boosting adversarial attacks with momentum.” Proc.
IEEE CVPR, 2018.
[12] e. a. Yansong-GAO, “Backdoor attacks and countermeasures on deep learning: A
comprehensive review.” arXiv:2007.10760, 2020.
[13] e. a. MADRY, Aleksander, “Towards deep learning models resistant to adversarial
attacks.” arXiv preprint arXiv:1706.06083, 2017.
[14] e. a. XU, Han, “Adversarial attacks and defenses in images, graphs and text,”
IJAC, 17: 151-178., 2020.
[15] N.-Z.-G. Jinyuan-JIA, Xiaoyu-CAO, “Intrinsic certified robustness of bagging
against data poisoning attacks.” Proc. AAAI 2021, 2021.
[16] e. a. Binghui-WANG, “On certifying robustness against backdoor attacks via randomized smoothing.” arXiv:2002.11750, 2020, 2020.
[17] e. a. Jinyuan-JIA, “Certified robustness of nearest neighbors against data poisoning and backdoor attacks.” Proc. AAAI 2022, 2022.
[18] e. a. Jonas-GEIPING, “Witches’ brew: Industrial scale data poisoning via gradient
matching.” arXiv:2009.02276, 2020., 2020.
[19] S.-H. B.-W. Cheng-Hsin-WENG, Yan-Ting, “On the trade-off between adversarial and backdoor robustness.” Advances in Neural Information Processing Systems, 2020.
[20] P.-B. Scott-ALFELD, Xiaojin-ZHU, “Data poisoning attacks against autoregressive models.” Proc. AAAI 2016, 2016.
[21] e. a. Huang-XIAO, “Is feature selection secure against training data poisoning?”
international conference on machine learning. PMLR, 2016.
[22] e. a. LIU, Yunfei, “Reflection backdoor: A natural backdoor attack on deep neural
networks.” Computer Vision–ECCV 2020: 16th, 2020.
[23] A.-S. et al., “Dynamic backdoor attacks against machine learning models.” Proc.
IEEE EuroSP, 2022.
[24] S.-B. Nino-CAULI, Alessandro-ORTIS, “Fooling a face recognition system with
a marker-free label-consistent backdoor attack.” Proc. ICIAP 2022, 2022.
[25] e. a. Shihao-ZHAO, “Clean-label backdoor attacks on video recognition models.”
Proc. IEEE/CVE, 2020.
[26] e. a. Yuanshun-YAO, “Latent backdoor attacks on deep neural networks.” Proc.
ACM SIGSAC, 2019.
[27] e. a. XIA-Pengfei, “Data-efficient backdoor attacks.” arXiv:2204.12281, 2022.
[28] A.-M. Alexander-TURNER, Dimitris-TSIPRAS, “Label-consistent backdoor attacks.” arXiv:1912.02771, 2019.
[29] R.-S. et al., “Bypassing backdoor detection algorithms in deep learning.” Proc.
IEEE EuroSP, 2020.
[30] e. a. Giorgio-SEVERI, “Explanation-guided backdoor poisoning attacks against
malware classifiers.” USENIX security 21, 2021.
[31] e. a. NARGESIAN, Fatemeh, “Learning feature engineering for classification.”
Proc. Ijcai, 2017.
[32] H.-L. e. Guozhu-DONG, “Feature engineering for machine learning and data analytics.” CRC Press, 2018.
[33] e. a. TURNER, C. Reid, “A conceptual basis for feature engineering.” Journal of
Systems and Software, 1999.
[34] Jeff-HEATON., “An empirical analysis of feature engineering for predictive modeling.” Proc. IEEE SoutheastCon, 2016.
[35] e. a. KHURANA, Udayan, “Cognito: Automated feature engineering for supervised learning.” Proc. IEEE ICDMW, 2016.
[36] e. a. Yang-CHEN, “Feature-based graph backdoor attack in the node classification
task.” Proc. IEEE/CVF, 2023.
[37] e. a. Zhendong-ZHAO, “Defeat: Deep hidden feature backdoor attacks by imperceptible perturbation and latent representation constraints.” Proc. IEEE/CVF,
2022.
[38] X.-Z. Nan-ZHONG, Zhenxing-QIAN, “Imperceptible backdoor attack: From input space to feature representation.” arXiv:2205.03190, 2022.
[39] e. a. Xuan-LI, “From features engineering to scenarios engineering for trustworthy ai: Ii, cc, and vv.” IEEE Intelligent Systems, 2022.
[40] e. a. Sakshi-UDESHI, “Model agnostic defence against backdoor attacks in machine learning.” IEEE Transactions on Reliability, 2022.
[41] e. a. Bolun-WANG, “Neural cleanse: Identifying and mitigating backdoor attacks
in neural networks.” Proc. IEEE SP, 2019.
[42] A.-M. Brandon-TRAN, Jerry-LI, “Spectral signatures in backdoor attacks.”
NeurIPS 2018, 2018.
[43] e. a. Bryant-CHEN, “Detecting backdoor attacks on deep neural networks by activation clustering.” arXiv:1811.03728, 2018.
[44] Sam-SCOTT;, “Feature engineering for text classification.” ICML. 1999, 1999.
[45] e. a. Bo-ZHANG, “Learning-based energy-efficient data collection by unmanned
vehicles in smart cities.” IEEE Transactions on Industrial Informatics, 1999.
[46] W. S.-NOBLE, “What is a support vector machine?” Nature biotechnology, 2006.
[47] SUTHAHARAN-Shan., “Support vector machine.” Machine learning models
and algorithms for big data classification: thinking with examples for effective
learning, 2016.
[48] e. a. ISLAM, M. M., “Likelihood prediction of diabetes at early stage using data
mining techniques.” Proc. IMCMM, 2020.
[49] Christoph-boesch, “Minimal backdoor attacks in machine learning models,”
https://github.com/christoph-boesch/backdoor-attacks, 2021.
[50] e. a. Xiaoyi-CHEN, “Badnl: Backdoor attacks against nlp models with semanticpreserving improvements.” Proc. ACSAC, 2021.
[51] P.-L. Khoa-DOAN, Yingjie-LAO, “Backdoor attack with imperceptible input and
latent modification.” Advances in Neural Information Processing Systems, 2021.
[52] e. a. Yingqi-LIU, “Trojaning attack on neural networks.” Proc. NDSS, 2018.
[53] M.-B. Wei-GUO, Benedetta-TONDI, “An overview of backdoor attacks against
deep neural networks and possible defences.” IEEE Open Journal of Signal Processing, 2022.