Backdoor Attacks for Remote Sensing Data With Wavelet Transform
Backdoor Attacks for Remote Sensing Data With Wavelet Transform
Nikolaus, D.; Yonghao, X.; Ghamisi, P.
Abstract
Recent years have witnessed the great success of deep learning algorithms in the geoscience and remote sensing (RS) realm. Nevertheless, the security and robustness of deep learning models deserve special attention when addressing safety-critical RS tasks. In this article, we provide a systematic analysis of backdoor attacks for RS data, where both scene classification and semantic segmentation tasks are considered. While most of the existing backdoor attack algorithms rely on visible triggers such as squared patches with well-designed patterns, we propose a novel wavelet transform-based attack (WABA) method, which can achieve invisible attacks by injecting the trigger image into the poisoned image in the low-frequency domain. In this way, the high-frequency information in the trigger image can be filtered out in the attack, resulting in stealthy data poisoning. Despite its simplicity, the proposed method can significantly cheat the current state-of-the-art deep learning models with a high attack success rate. We further analyze how different trigger images and the hyperparameters in the wavelet transform would influence the performance of the proposed method. Extensive experiments on four benchmark RS datasets demonstrate the effectiveness of the proposed method for both scene classification and semantic segmentation tasks and thus highlight the importance of designing advanced backdoor defense algorithms to address this threat in RS scenarios. The code will be available online at https://github.com/ndraeger/waba .
-
IEEE Transactions on Geoscience and Remote Sensing 61(2023), 5613715
DOI: 10.1109/TGRS.2023.3289307
Downloads
- Open Access Version from arxiv.org
- Secondary publication expected from 26.06.2024
Permalink: https://www.hzdr.de/publications/Publ-37918