Dynamic Invisible Backdoor Sample Generation based on Spatial-Spectral Domain

The rapid development of deep learning technologies has enabled deep neural networks to achieve remarkable success in various fields. However, in light of the increasing prevalence of backdoor attacks, deep neural networks have shown significant vulnerability in such novel scenarios. To address the issue that triggers in current backdoor samples are easily exposed during testing, this study enhances the concealment of samples from both the spatial and frequency domains, proposing a dynamic invisible backdoor sample generation framework called S²D-DIBA (Spatial-Spectral Domain Dynamic Invisible Backdoor Attack). In the spatial domain, a generator network based on Attention U-Net is designed, which uses an attention mechanism to focus on key regions of the image to generate a probabilistic modification matrix. A multilayer perceptron network, SampleNet, is employed to simulate a differentiable sampling process, thereby performing pixel-level optimization of key regions to generate specific and concealed spatial triggers for each clean image. In the frequency domain, both clean images and those poisoned with spatial triggers are transformed into the frequency space via discrete cosine transform. By designing a frequency domain similarity loss, the distribution difference between poisoned and clean samples in the high-frequency components is minimized, further enhancing the sample stealthiness. Experiments on two public datasets demonstrate that the proposed algorithm outperforms existing state-of-the-art methods, reducing the L1 norm by more than 50 times compared to the second-best approach while maintaining an attack success rate above 99.9%, exhibiting excellent performance in both attack effectiveness and concealment.