Kaleidoscope: Physical Backdoor Attacks Against Deep Neural Networks With RGB Filters

Recent research has shown that deep neural networks are vulnerable to backdoor attacks. A carefully-designed backdoor trigger will mislead the victim model to misclassify any sample with the trigger to the target label. Nevertheless, existing works usually utilize visible triggers, such as a white square at the corner of the image, which are easily detected by human inspections. Current efforts on developing invisible triggers yield low attack success in the physical domain. In this paper, we propose Kaleidoscope, an RGB (red, green, and blue) filter-based backdoor attack method, which utilizes RGB filter operations as the backdoor trigger. To enhance the attack success rate, we design a novel model-dependent filter trigger generation algorithm. We also introduce two constraints in the loss function to make the backdoored samples more natural and less distorted. Extensive experiments on CIFAR-10, CIFAR-100, ImageNette, and VGG-Flower have demonstrated that RGB filter-processed samples not only achieve high attack success rate but also are unnoticeable to humans. It is shown that Kaleidoscope can reach an attack success rate of more than 84% in the physical world under different lighting intensities and shooting angles. Kaleidoscope is also shown to be robust to state-of-the-art backdoor defenses, such as spectral signature, STRIP, and MNTD.