Invisible Backdoor Learning in Transform Domain with Flexible Triggers and Targets

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

The manuscript introduces a novel invisible backdoor learning scheme in the transform domain with flexible triggers and targets, enhancing security threats in deep learning models by incorporating multiple triggers corresponding to different targets or a single target. This method maintains model accuracy while achieving a high attack success rate, proving resilient against common defense methods and offering high visual quality of poisoned samples.

 

Suggestions for Improvement:

1. The description of how triggers and backdoors are implemented and interact could be expanded for clarity. This includes a more detailed explanation of the transform domain and how it aids in maintaining the invisibility of the triggers.

 

2. Although the paper demonstrates resistance to several defense strategies, testing against more recent or advanced defense mechanisms could further validate the robustness of the backdoor methods.

 

3. The manuscript could benefit from a more comprehensive comparison with existing backdoor methods, particularly highlighting the advantages of the proposed method in terms of flexibility and invisibility.

Author Response

Comments 1:

The description of how triggers and backdoors are implemented and interact could be expanded for clarity. This includes a more detailed explanation of the transform domain and how it aids in maintaining the invisibility of the triggers.

Response 1:

Thank you for this insightful suggestion. We agree that a more detailed explanation of the implementation and interaction of triggers and backdoors is essential for enhancing the clarity of our work. In the revised manuscript, we will provide a more comprehensive description.

In the Section 3.2, we have enhanced the description of the relevant content and modified it. We have added subsection 3.2.2 Trigger addition in different frequency, where we explain why different regions are distinguished, then explain why additions are made in the frequency domain, and explain the difference from the spatial domain.

Comments 2:

Although the paper demonstrates resistance to several defense strategies, testing against more recent or advanced defense mechanisms could further validate the robustness of the backdoor methods.

Response 2:

Thank you for the suggestion. We have reviewed the relevant literature and added reference [34] to evaluate the defense effectiveness of the proposed.

Comments 3:

The manuscript could benefit from a more comprehensive comparison with existing backdoor methods, particularly highlighting the advantages of the proposed method in terms of flexibility and invisibility.

Response 3:

The manuscript could benefit from a more comprehensive comparison with existing backdoor methods, particularly highlighting the advantages of the proposed method in terms of flexibility and invisibility.

Author Response File: Author Response.pdf

Reviewer 2 Report

Comments and Suggestions for Authors

The introduction provides a sufficient background by outlining the challenges in deep learning security, particularly backdoor attacks, and their implications for artificial intelligence applications. It also reviews the literature comprehensively to establish the novelty of the proposed work. The research design is appropriate.

The study introduces a well-defined methodology for implementing backdoor attacks with flexible triggers and targets. The multi-triggers and multi-targets (MTMT) and multi-triggers and one-target (MTOT) modes are clearly articulated and evaluated using systematic experiments.

The methods are adequately described. The paper includes detailed algorithms for implementing MTMT and MTOT modes, alongside clear explanations of their mechanics and how the poison samples are generated. The transformation to the YCbCr domain and manipulation in the frequency domain are also well-explained.

The results are clearly presented with tables and figures that highlight the experimental outcomes, such as attack success rates (ASRi) and benign accuracy (BA). The metrics and datasets used are appropriate for evaluating the performance of the proposed methods.

The conclusions are supported by the results. The experiments demonstrate high attack success rates (up to 95%) and minimal impact on benign accuracy, validating the effectiveness and stealthiness of the proposed backdoor methods.

Recommendations:

• Section 3.2: The methodology mentions the use of the frequency domain for trigger injection. Including a comparison of this approach with spatial-domain alternatives could enhance the discussion.
• Figure 1: The graphical representation of backdoor modes is helpful but could be more detailed to illustrate the differences between MTMT and MTOT visually.
• Ethics Statement: While the ethical implications are implied, an explicit statement regarding the ethical considerations and intended use of the proposed techniques would strengthen the paper.
• References: While the references are relevant, the manuscript could benefit from more citations to very recent studies (published within the last two years) to ensure it reflects the latest advancements in the field. The authors might also include more comparative discussion of their work against other frequency-domain manipulation techniques to provide additional context.

Comments on the Quality of English Language

• Grammar and Syntax: There are occasional grammatical errors and awkward phrasings (e.g., "direct addition process cannot does not have the best results"). These should be corrected for clarity.
• Redundancies: Some sentences repeat information unnecessarily, which can make the text less concise. For example, the explanation of MTMT and MTOT modes could be streamlined.
• Technical Terminology: The technical terms are used correctly, but some descriptions could be rephrased to enhance readability, especially for a non-specialist audience.

Author Response

Comments 1:

Section 3.2: The methodology mentions the use of the frequency domain for trigger injection. Including a comparison of this approach with spatial-domain alternatives could enhance the discussion.

Response 1:

Thanks for the suggestion. In Section3, we add a part about adding triggers in the frequency domain.

Literature [25] is a similar method in the spatial domain. In Table 13, we compare it with our scheme. In [25], the trigger is not only fixed and visible, but also difficult to realize flexible triggers and targets.

Comments2:

Figure 1: The graphical representation of backdoor modes is helpful but could be more detailed to illustrate the differences between MTMT and MTOT visually.

Response 2:

Thanks for suggestion. We add relevant explanations after Figure 1. At the same time, at the end of the Methodology, we have also stressed this point.

Comments 3:

Ethics Statement: While the ethical implications are implied, an explicit statement regarding the ethical considerations and intended use of the proposed techniques would strengthen the paper.

Response 3:

Thank you for your inspiration. Our study of backdoor learning not only enhances our understanding of model performance, but will also use this performance to enhance the protection of model security. We also advocate the use of backdoor learning features to make corresponding contributions to the application of deep learning models. We also stated this in the introduction.

Comments 4:

References: While the references are relevant, the manuscript could benefit from more citations to very recent studies (published within the last two years) to ensure it reflects the latest advancements in the field. The authors might also include more comparative discussion of their work against other frequency-domain manipulation techniques to provide additional context.

Response 4:

Thank you for your reminding. In Section 2, we add seven related articles.

In addition, we have added an experiment on the robustness of the latest defense method.

What’s more, we compare our proposed method with the existing ones to further analyze our advantages.

Author Response File: Author Response.pdf

Reviewer 3 Report

Comments and Suggestions for Authors

The paper is really interesting and innovative, in a field which has become (and it will continue to!) extremely relevant in the last years. As all LLMs are actually based on deep learning processes, their security is of utmost importance.

I suggest an attached study-case, with more specific information, datasets and comparisons be put forward to the scientific community.

 

Moreover, I think one final revision in English would not hurt.

For example, even in the Conclusion section, there are several language mistakes, such as: "with the two mode" - missing an s, "impalanted" instead of implanted etc. Overall, the paper is understandable without relevant issues, but it would still be better to address those items before final publishing.

Author Response

Comments:

The paper is really interesting and innovative, in a field which has become (and it will continue to!) extremely relevant in the last years. As all LLMs are actually based on deep learning processes, their security is of utmost importance.

I suggest an attached study-case, with more specific information, datasets and comparisons be put forward to the scientific community.

 

Moreover, I think one final revision in English would not hurt.

For example, even in the Conclusion section, there are several language mistakes, such as: "with the two mode" - missing an s, "impalanted" instead of implanted etc. Overall, the paper is understandable without relevant issues, but it would still be better to address those items before final publishing.

Response:

Thank you very much for your comments and valuable suggestions on this article.

We quite agree with your proposal. In the experiment, we used open data set to verify the validity of the method. At the same time, experiments are added to verify the influence of adding triggers of different degrees in different areas on the scheme, and the bypass ability test of the latest defense methods is also added.

The English expression problem you pointed out really needs further improvement. We appreciate you pointing out the specific error. The English expression problem you pointed out really needs further improvement. We appreciate you pointing out the specific error.

Author Response File: Author Response.pdf

Reviewer 4 Report

Comments and Suggestions for Authors

This paper addresses an interesting issue in the security of deep neural networks (DNNs), focusing on backdoor attacks and proposing a novel method leveraging the transform domain. While the topic is timely and relevant, the work suffers from significant conceptual, methodological, and interpretive shortcomings that undermine its scientific contribution.

In terms of methodology, the use of transform-domain modifications as triggers is intriguing but insufficiently detailed. Critical aspects such as the choice of transform techniques (e.g., Discrete Cosine Transform) and their implications for visual quality or model robustness are not rigorously justified. The choice of YCbCr color space is presented as an operational convenience, yet its superiority over alternative representations remains unsubstantiated, raising concerns about whether the approach is optimal or arbitrarily selected. Furthermore, the poisoning process, particularly its adaptability across datasets and models, lacks empirical validation beyond superficial metrics like accuracy and success rate. Discussions around computational efficiency, especially given the resource-intensive transform-domain operations, are conspicuously absent.

The experimental evaluation is comprehensive but flawed in several respects. While metrics such as benign accuracy (BA) and attack success rate (ASR) are reported, they fail to address critical dimensions such as the robustness of the backdoor to unseen defense methods or its behavior under adversarial perturbations. Also, the claim of invisibility is supported by PSNR and SSIM metrics, but these are inadequate proxies for perceptual indistinguishability, particularly in adversarial contexts. The defense evaluations appear cursory, often summarizing performance without exploring the failure modes or countermeasures. For example, while Neural Cleanse and STRIP are evaluated, no deeper analysis is provided about why these defenses underperform against the proposed triggers.

The conclusion makes overly generalized claims about the flexibility and efficacy of the proposed method, which are not supported by the presented evidence. The manuscript fails to critically reflect on its limitations, such as its reliance on manual parameter tuning for trigger generation or the lack of exploration into the ethical ramifications of enabling more sophisticated backdoor attacks.

 

Author Response

Comments 1:

In terms of methodology, the use of transform-domain modifications as triggers is intriguing but insufficiently detailed. Critical aspects such as the choice of transform techniques (e.g., Discrete Cosine Transform) and their implications for visual quality or model robustness are not rigorously justified. The choice of YCbCr color space is presented as an operational convenience, yet its superiority over alternative representations remains unsubstantiated, raising concerns about whether the approach is optimal or arbitrarily selected. Furthermore, the poisoning process, particularly its adaptability across datasets and models, lacks empirical validation beyond superficial metrics like accuracy and success rate. Discussions around computational efficiency, especially given the resource-intensive transform-domain operations, are conspicuously absent.

Response 1:

First, we admin that There are deficiencies in the description of the scheme, and in Section 3.2.2, we add details on this aspect. This operation not only ensures the invisibility of the trigger in the poisoning sample, but also provides space for multiple trigger embeddings.

Besides, we supplement the experiment on the choice of color channels in Section 4.3.

As for the computational efficiency, we give the analysis at the end of the methodology.

Comments 2:

The experimental evaluation is comprehensive but flawed in several respects. While metrics such as benign accuracy (BA) and attack success rate (ASR) are reported, they fail to address critical dimensions such as the robustness of the backdoor to unseen defense methods or its behavior under adversarial perturbations. Also, the claim of invisibility is supported by PSNR and SSIM metrics, but these are inadequate proxies for perceptual indistinguishability, particularly in adversarial contexts. The defense evaluations appear cursory, often summarizing performance without exploring the failure modes or countermeasures. For example, while Neural Cleanse and STRIP are evaluated, no deeper analysis is provided about why these defenses underperform against the proposed triggers.

Response 2:

Thanks for the suggestion. Typically, PSNR and SSIM are used to measure the degree of change between two images, reflecting the invisible rows of the trigger, while the fidelity of the model is verified by reliable BA. While demonstrating the basic performance of the scheme, we also add new experiments. Section 4.3 explores the color channel effect and Section 4.5 is the offset and position effect.

We add cause analysis for defenses.

Comments 3:

The conclusion makes overly generalized claims about the flexibility and efficacy of the proposed method, which are not supported by the presented evidence. The manuscript fails to critically reflect on its limitations, such as its reliance on manual parameter tuning for trigger generation or the lack of exploration into the ethical ramifications of enabling more sophisticated backdoor attacks.

Response 3:

Thanks for the suggestion. In Section 4.7, we compare the characteristics of the proposed scheme with those of existing schemes, and explain the advantages of our scheme.

For the existing problems in the scheme, such as manual parameter tuning for trigger generation, we will try to solve them in the future work. In introduction part, we have also increased our exploration of ethics.

 

Author Response File: Author Response.pdf

Reviewer 5 Report

Comments and Suggestions for Authors

In this article, the authors propose a method for backdoor learning that leverages the transform domain to create flexible and imperceptible triggers. This approach addresses the limitations of traditional backdoor attacks by allowing for multiple triggers and targets, thereby enhancing both the attack's effectiveness and its resilience against existing defense mechanisms. The authors convincingly argue the potential real-world implications of their method in applications such as facial recognition, autonomous driving, and secure authentication systems, emphasizing the urgent need for more robust security measures.

Below are my suggestions for improving the article:

1. Section 3 mentions the trade-off between the effectiveness of the trigger and its concealment but doesn’t provide much detail on how this balance is optimized in practice. For example, how is the degree of change to high and low frequencies controlled to avoid detection by the DNN model without compromising attack success?

2. The process of applying offsets to images in the frequency domain lacks sufficient clarity.

Author Response

Comments 1:

Section 3 mentions the trade-off between the effectiveness of the trigger and its concealment but doesn’t provide much detail on how this balance is optimized in practice. For example, how is the degree of change to high and low frequencies controlled to avoid detection by the DNN model without compromising attack success?

Response 1:

Thank you very much for your valuable suggestions on Section 3 of this article. In order to better explain this problem, we added part of the experiment in Section 4.5 to explore the effect of the degree of change on the model.

Comments 2:

The process of applying offsets to images in the frequency domain lacks sufficient clarity.

Response 2:

Thank you for the suggestion. We admit that the relevant aspects are not clear enough in the previous version. We added a description in Section 3.2.2.

 

Author Response File: Author Response.pdf

Round 2

Reviewer 4 Report

Comments and Suggestions for Authors

Thank you for your thoughtful and thorough revisions to the manuscript in response to the previous round of comments. We appreciate the effort you have dedicated to addressing the reviewers' feedback and enhancing the clarity, depth, and quality of the work.

Having carefully reviewed the revised manuscript, we are pleased to confirm that all significant issues raised during the review process have been appropriately addressed. The manuscript now meets the standards required for publication, and we commend you for your diligence in improving its presentation and scientific rigor.

Congratulations on reaching this important milestone, and we look forward to seeing your work published.