面向图像数据的深度学习后门攻击技术综述

doi:10.19678/j.issn.1000-3428.0070128

计算机工程 ›› 2026, Vol. 52 ›› Issue (3): 62-78. doi: 10.19678/j.issn.1000-3428.0070128

面向图像数据的深度学习后门攻击技术综述

王人帅¹^,², 杨奎武², 陈越²^,*(), 王雯², 魏江宏²

1. 郑州大学网络空间安全学院, 河南郑州 450002
2. 中国人民解放军战略支援部队信息工程大学, 河南郑州 450001

收稿日期:2024-07-16 修回日期:2024-09-18 出版日期:2026-03-15 发布日期:2026-03-10
通讯作者: 陈越
作者简介:
王人帅, 男, 硕士, 主研方向为深度学习、大数据安全
杨奎武, 副教授、博士
陈越(通信作者), 教授、博士
王雯, 硕士
魏江宏, 讲师、博士
基金资助:
国家自然科学基金(62172433); 国家自然科学基金(62172434)

Survey of Deep Learning Backdoor Attack on Image Data

WANG Renshuai¹^,², YANG Kuiwu², CHEN Yue²^,*(), WANG Wen², WEI Jianghong²

1. School of Cyber Security, Zhengzhou University, Zhengzhou 450002, Henan, China
2. The PLA Strategic Support Force Information Engineering University, Zhengzhou 450001, Henan, China

Received:2024-07-16 Revised:2024-09-18 Online:2026-03-15 Published:2026-03-10
Contact: CHEN Yue

摘要/Abstract

摘要：

深入探讨深度学习领域的后门攻击问题, 该问题是一个涉及深度学习模型安全性和鲁棒性的重要议题。随着深度学习技术的广泛应用, 使用第三方数据和预训练模型变得普遍, 但这也带来了潜在的安全威胁。研究人员发现, 通过未经验证的第三方资源, 恶意代码或隐藏后门可能被引入模型中, 它们可能在特定条件下被激活, 导致模型行为异常。目前, 图像领域的后门攻击方法不断发展, 但缺乏系统性的综述来全面介绍图像领域的后门攻击技术。为此, 首先介绍后门攻击的概念和基本的攻击流程, 然后分析后门攻击和对抗攻击、数据投毒攻击2种相关安全威胁的区别, 随后从不同触发器、不同融合策略、不同目标类别、模型结构修改、模型权重修改、代码中毒、数据排序等7个方面对图像领域的后门攻击技术进行归类, 介绍后门攻击技术的演进, 分析其特点、性能以及不同技术的优缺点。在此基础上, 总结目前的研究成果, 并从多个角度对未来可能的研究方向进行分析和展望, 强调构建安全、可靠的深度学习模型的重要性。

关键词: 后门攻击, AI安全, 预训练模型, 图像数据, 神经网络

Abstract:

The in-depth exploration of backdoor attacks in the field of deep learning is important for the security and robustness of deep learning models. With the widespread application of deep learning technology, the use of third-party data and pre-trained models has become common; however, this poses potential security threats. Researchers have found that malicious codes or hidden backdoors may be introduced into a model via unverified third-party resources and may be activated under specific conditions, leading to abnormal model behavior. Currently, backdoor attack methods in the field of imaging are constantly being developed; however, systematic reviews that comprehensively introduce backdoor attack techniques in the field of imaging are rare. To this end, the concepts and basic attack processes of backdoor attacks are introduced in this study. Subsequently, the differences between backdoor and adversarial attacks, as well as data poisoning attacks, are analyzed. Additionally, backdoor attack techniques in the imaging field are classified based on seven aspects: triggers, fusion strategies, target categories, model structure modifications, model weight modifications, code poisoning, and data sorting. The evolution of backdoor attack techniques is discussed, and the characteristics, performance, advantages, and disadvantages of the different techniques are analyzed. On this basis, the results of the present study are summarized and possible future research directions are analyzed from multiple perspectives, emphasizing the importance of building safe and reliable deep learning models.

Key words: backdoor attack, AI security, pre-trained model, image data, neural network

王人帅, 杨奎武, 陈越, 王雯, 魏江宏. 面向图像数据的深度学习后门攻击技术综述[J]. 计算机工程, 2026, 52(3): 62-78.

WANG Renshuai, YANG Kuiwu, CHEN Yue, WANG Wen, WEI Jianghong. Survey of Deep Learning Backdoor Attack on Image Data[J]. Computer Engineering, 2026, 52(3): 62-78.

https://www.ecice06.com/CN/Y2026/V52/I3/62

图/表 18

图1 后门攻击流程

Fig.1 Backdoor attack process

图2 不同攻击方法对比及后门攻击分类

Fig.2 Comparison of different attack methods and classification of backdoor attacks

图3 后门攻击分类

Fig.3 Classification of backdoor attacks

图4 特定样本隐形后门攻击原理

Fig.4 Principle of invisible backdoor attack on specific samples

图5 面部表情

Fig.5 Facial expression

图6 3D点云后门攻击对比

Fig.6 Comparison of 3D point cloud backdoor attacks

图7 不可见后门攻击对比

Fig.7 Invisible backdoor attacks comparison

图8 不同的物理对象

Fig.8 Different physical objects

图9 彩色条纹触发器攻击

Fig.9 Color stripe trigger attack

图10 车道检测后门攻击

Fig.10 Lane detection backdoor attack

图11 风格迁移后门攻击

Fig.11 Style transfer backdoor attack

图12 多目标后门攻击

Fig.12 Multi-target backdoor attack

图13 模型权重修改

Fig.13 Model weights modification

参考文献 89

1	GU T Y, DOLAN G B, GARG S. BadNets: identifying vulnerabilities in the machine learning model supply chain[EB/OL]. [2024-05-05]. https://arxiv.org/abs/1708.06733.
2	HE Y , SHEN Z L , XIA C , et al. SGBA: a stealthy scapegoat backdoor attack against deep neural networks. Computers & Security, 2024, 136, 103523.
3	LI H L, WANG Y F, XIE X F, et al. Light can hack your face! black-box backdoor attack on face recognition systems[EB/OL]. [2024-05-05]. https://arxiv.org/abs/2009.06996.
4	LIN J Y, XU L, LIU Y Q, et al. Composite backdoor attack for deep neural network by mixing existing benign features[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2020: 113-131.
5	CHEN X Y, LIU C, LI B, et al. Targeted backdoor attacks on deep learning systems using data poisoning[EB/OL]. [2024-05-05]. https://arxiv.org/abs/1712.05526.
6	LI S F , XUE M H , ZHAO B Z H , et al. Invisible backdoor attacks on deep neural networks via steganography and regularization. IEEE Transactions on Dependable and Secure Computing, 2021, 18 (5): 2088- 2105.
7	LI Y Z, LI Y M, WU B Y, et al. Invisible backdoor attack with sample-specific triggers[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). Washington D.C., USA: IEEE Press, 2022: 16443-16452.
8	NGUYEN A, TRAN A. WaNet-imperceptible warping-based backdoor attack[EB/OL]. [2024-05-05]. https://arxiv.org/abs/2102.10369.
9	SARKAR E , BENKRAOUDA H , KRISHNAN G , et al. FaceHack: attacking facial recognition systems using malicious facial characteristics. IEEE Transactions on Biometrics, Behavior, and Identity Science, 2022, 4 (3): 361- 372. doi: 10.1109/TBIOM.2021.3132132
10	GAO K F , BAI J W , WU B Y , et al. Imperceptible and robust backdoor attack in 3D point cloud. IEEE Transactions on Information Forensics and Security, 2024, 19, 1267- 1282. doi: 10.1109/TIFS.2023.3333687
11	ZHANG J , CHEN D D , HUANG Q D , et al. Poison Ink: robust and invisible backdoor attack. IEEE Transactions on Image Processing, 2022, 31, 5691- 5705. doi: 10.1109/TIP.2022.3201472
12	SALEM A, WEN R, BACKES M, et al. Dynamic backdoor attacks against machine learning models[C]//Proceedings of the 7th IEEE European Symposium on Security and Privacy (EuroS&P). Washington D.C., USA: IEEE Press, 2022: 703-718.
13	LIU Y F, MA X J, BAILEY J, et al. Reflection backdoor: a natural backdoor attack on deep neural networks[EB/OL]. [2024-05-05]. https://arxiv.org/abs/2007.02343.
14	YAN Z C , LI G L , TIAN Y , et al. DeHiB: deep hidden backdoor attack on semi-supervised learning via adversarial perturbation. Proceedings of the AAAI Conference on Artificial Intelligence, 2021, 35 (12): 10585- 10593. doi: 10.1609/aaai.v35i12.17266
15	BARNI M, KALLAS K, TONDI B. A new backdoor attack in CNNS by training set corruption without label poisoning[C]//Proceedings of the IEEE International Conference on Image Processing (ICIP). Washington D.C., USA: IEEE Press, 2019: 101-105.
16	WENGER E, PASSANANTI J, BHAGOJI A N, et al. Backdoor attacks against deep learning systems in the physical world[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2021: 6202-6211.
17	XUE M F , HE C , WU Y H , et al. PTB: robust physical backdoor attacks against deep neural networks in real world. Computers & Security, 2022, 118, 102726.
18	HAN X S, XU G W, ZHOU Y, et al. Physical backdoor attacks to lane detection systems in autonomous driving[C]//Proceedings of the 30th ACM International Conference on Multimedia. New York, USA: ACM Press, 2022: 2957-2968.
19	SHAFAHI A, HUANG W R, NAJIBI M, et al. Poison frogs! targeted clean-label poisoning attacks on neural networks[EB/OL]. [2024-05-05]. https://arxiv.org/abs/1804.00792.
20	CHENG S Y , LIU Y Q , MA S Q , et al. Deep feature space Trojan attack of neural networks by controlled detoxification. Proceedings of the AAAI Conference on Artificial Intelligence, 2021, 35 (2): 1148- 1156. doi: 10.1609/aaai.v35i2.16201
21	TURNER A, TSIPRAS D, MADRY A. Label-consistent backdoor attacks[EB/OL]. [2024-05-05]. https://arxiv.org/abs/1912.02771.
22	SAHA A , SUBRAMANYA A , PIRSIAVASH H . Hidden trigger backdoor attacks. Proceedings of the AAAI Conference on Artificial Intelligence, 2020, 34 (7): 11957- 11965. doi: 10.1609/aaai.v34i07.6871
23	NING R, LI J, XIN C S, et al. Invisible poison: a blackbox clean label backdoor attack to deep neural networks[C]//Proceedings of the IEEE Conference on Computer Communications. Washington D.C., USA: IEEE Press, 2021: 1-10.
24	DOAN K D, LAO Y J, LI P. Marksman backdoor: backdoor attacks with arbitrary target class[EB/OL]. [2024-05-05]. https://arxiv.org/abs/2210.09194.
25	SALEM A, BACKES M, ZHANG Y. Don't trigger me! A triggerless backdoor attack against deep neural networks[EB/OL]. [2024-05-05]. https://arxiv.org/abs/2010.03282.
26	TANG R X, DU M N, LIU N H, et al. An embarrassingly simple approach for Trojan attack in deep neural networks[C]//Proceedings of the 26th ACM SIGKDD International Conference on Knowledge Discovery & Data Mining. New York, USA: ACM Press, 2020: 218-228.
27	LI Y C, HUA J Y, WANG H Y, et al. DeepPayload: black-box backdoor attack on deep learning models through neural payload injection[C]//Proceedings of the 43rd IEEE/ACM International Conference on Software Engineering (ICSE). New York, USA: ACM Press, 2021: 263-274.
28	DUMFORD J, SCHEIRER W. Backdooring convolutional neural networks via targeted weight perturbations[C]//Proceedings of the IEEE International Joint Conference on Biometrics (IJCB). Washington D.C., USA: IEEE Press, 2021: 1-9.
29	COSTALES R, MAO C Z, NORWITZ R, et al. Live Trojan attacks on deep neural networks[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition Workshops (CVPRW). Washington D.C., USA: IEEE Press, 2020: 3460-3469.
30	QI X Y, ZHU J F, XIE C L, et al. Subnet replacement: deployment-stage backdoor attack against deep neural networks in gray-box setting[EB/OL]. [2024-05-05]. https://arxiv.org/abs/2107.07240.
31	GARG S, KUMAR A, GOEL V, et al. Can adversarial weight perturbations inject neural backdoors[C]//Proceedings of the 29th ACM International Conference on Information & Knowledge Management. New York, USA: ACM Press, 2020: 2029-2032.
32	HONG S, CARLINI N, KURAKIN A. Handcrafted backdoors in deep neural networks[C]//Proceedings of the 36th International Conference on Neural Information Processing Systems. New York, USA: ACM Press, 2022: 8068-8080.
33	RAKIN A S, HE Z Z, FAN D L. TBT: targeted neural network attack with bit Trojan[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2020: 13195-13204.
34	CHEN H L, FU C, ZHAO J S, et al. ProFlip: targeted Trojan attack with progressive bit flips[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). Washington D.C., USA: IEEE Press, 2022: 7698-7707.
35	BAGDASARYAN E, SHMATIKOV V. Blind backdoors in deep learning models[EB/OL]. [2024-05-05]. https://arxiv.org/abs/2005.03823.
36	GAO Y S, DOAN B G, ZHANG Z, et al. Backdoor attacks and countermeasures on deep learning: a comprehensive review[EB/OL]. [2024-05-05]. https://arxiv.org/abs/2007.10760.
37	XU J, KOFFAS S, ERSOY O, et al. Watermarking graph neural networks based on backdoor attacks[C]//Proceedings of the 8th IEEE European Symposium on Security and Privacy (EuroS&P). Washington D.C., USA: IEEE Press, 2023: 1179-1197.
38	LI G L, XU G W, QIU H, et al. Fingerprinting generative adversarial networks[EB/OL]. [2024-05-05]. https://arxiv.org/pdf/2106.11760.
39	LI Y M, ZHANG Z Q, BAI J W, et al. Open-sourced dataset protection via backdoor watermarking[EB/OL]. [2024-05-05]. https://arxiv.org/abs/2010.05821.
40	SUN Z S, DU X N, SONG F, et al. CoProtector: protect open-source code against unauthorized training usage with data poisoning[C]//Proceedings of the ACM Web Conference 2022. New York, USA: ACM Press, 2022: 652-660.
41	GONG X L , CHEN Y J , WANG Q , et al. Defense-resistant backdoor attacks against deep neural networks in outsourced cloud environment. IEEE Journal on Selected Areas in Communications, 2021, 39 (8): 2617- 2631. doi: 10.1109/JSAC.2021.3087237
42	NGUYEN A, TRAN A. Input-aware dynamic backdoor attack[EB/OL]. [2024-05-05]. https://arxiv.org/abs/2010.08138.
43	XIANG Z, MILLER D J, CHEN S H, et al. A backdoor attack against 3D point cloud classifiers[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV). Washington D.C., USA: IEEE Press, 2022: 7577-7587.
44	ZHU J R, KAPLAN R, JOHNSON J, et al. HiDDeN: hiding data with deep networks[EB/OL]. [2024-05-05]. https://arxiv.org/abs/1807.09937.
45	TANCIK M, MILDENHALL B, NG R. StegaStamp: invisible hyperlinks in physical photographs[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2020: 2114-2123.
46	BALUJA S. Hiding images in plain sight: deep steganography[EB/OL]. [2024-05-05]. https://proceedings.neurips.cc/paper_files/paper/2017/file/838e8afb1ca34354ac209f53d90c3a43-Paper.pdf.
47	ZHANG R, ISOLA P, EFROS A A, et al. The unreasonable effectiveness of deep features as a perceptual metric[C]// Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. Washington D.C., USA: IEEE Press, 2018: 586-595.
48	WANG Y L , ZHAO M H , LI S H , et al. Dispersed pixel perturbation-based imperceptible backdoor trigger for image classifier models. IEEE Transactions on Information Forensics and Security, 2022, 17, 3091- 3106. doi: 10.1109/TIFS.2022.3202687
49	DUAN R J, MA X J, WANG Y S, et al. Adversarial camouflage: hiding physical-world attacks with natural styles[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2020: 997-1005.
50	CHANG C C , HSIAO J Y , CHAN C S . Finding optimal least-significant-bit substitution in image hiding by dynamic programming strategy. Pattern Recognition, 2003, 36 (7): 1583- 1595. doi: 10.1016/S0031-3203(02)00289-3
51	DENG L . The MNIST database of handwritten digit images for machine learning research best of the web. IEEE Signal Processing Magazine, 2012, 29 (6): 141- 142. doi: 10.1109/MSP.2012.2211477
52	KRIZHEVSKY A. Learning multiple layers of features from tiny images[EB/OL]. [2024-05-05]. https://www.semanticscholar.org/paper/Learning-Multiple-Layers-of-Features-from-Tiny-Krizhevsky/5d90f06bb70a0a3dced62413346235c02b1aa086.
53	SHUMAILOV I, SHUMAYLOV Z, KAZHDAN D, et al. Manipulating SGD with data ordering attacks[EB/OL]. [2024-05-05]. https://www.researchgate.net/publication/351019936_Manipulating_SGD_with_Data_Ordering_Attacks.
54	SOURI H, FOWL L, CHELLAPPA R, et al. Sleeper agent: scalable hidden trigger backdoors for neural networks trained from scratch[EB/OL]. [2024-05-05]. https://arxiv.org/abs/2106.08970.
55	DENG J, DONG W, SOCHER R, et al. ImageNet: a large-scale hierarchical image database[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. Washington D.C., USA: IEEE Press, 2009: 248-255.
56	PARKHI O M, VEDALDI A, ZISSERMAN A. Deep face recognition[C]//Proceedings of the British Machine Vision Conference 2015. Washington D.C., USA: IEEE Press, 2015: 1-12.
57	CAO Q, SHEN L, XIE W D, et al. VGGFace2: a dataset for recognising faces across pose and age[C]//Proceedings of the 13th IEEE International Conference on Automatic Face & Gesture Recognition (FG 2018). Washington D.C., USA: IEEE Press, 2018: 67-74.
58	HUANG G B, MATTAR M A, BERG T L, et al. Labeled faces in the wild: a database for studying face recognition in unconstrained environments[EB/OL]. [2024-05-05]. https://inria.hal.science/inria-00321923/document.
59	LIU Z W, LUO P, WANG X G, et al. Deep learning face attributes in the wild[C]//Proceedings of the IEEE International Conference on Computer Vision (ICCV). Washington D.C., USA: IEEE Press, 2016: 3730-3738.
60	SUN Y, WANG X G, TANG X O. Deep learning face representation from predicting 10, 000 classes[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition. Washington D.C., USA: IEEE Press, 2014: 1891-1898.
61	WOLF L, HASSNER T, MAOZ I. Face recognition in unconstrained videos with matched background similarity[C]//Proceedings of the CVPR 2011. Washington D.C., USA: IEEE Press, 2011: 529-534.
62	KUMAR N, BERG A C, BELHUMEUR P N, et al. Attribute and simile classifiers for face verification[C]//Proceedings of the 12th IEEE International Conference on Computer Vision. Washington D.C., USA: IEEE Press, 2010: 365-372.
63	ZHANG N, PALURI M, TAIGMAN Y, et al. Beyond frontal faces: improving person recognition using multiple cues[EB/OL]. [2024-05-05]. https://arxiv.org/abs/1501.05703.
64	STALLKAMP J , SCHLIPSING M , SALMEN J , et al. Man vs. computer: benchmarking machine learning algorithms for traffic sign recognition. Neural Networks, 2012, 32, 323- 332. doi: 10.1016/j.neunet.2012.02.016
65	SIMONYAN K, ZISSERMAN A. Very deep convolutional networks for large-scale image recognition[EB/OL]. [2024-05-05]. https://arxiv.org/abs/1409.1556.
66	HE K M, ZHANG X Y, REN S Q, et al. Deep residual learning for image recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2016: 770-778.
67	HUANG G, LIU Z, VAN DER MAATEN L, et al. Densely connected convolutional networks[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2017: 2261-2269.
68	DÉSIDÉRI J A . Multiple-Gradient Descent Algorithm (MGDA) for multiobjective optimization. Comptes Rendus Mathematique, 2012, 350 (5/6): 313- 318.
69	RECTOR B J , WANG J K , MOZAFARI B . Revisiting projection-free optimization for strongly convex constraint sets. Proceedings of the AAAI Conference on Artificial Intelligence, 2019, 33 (1): 1576- 1583. doi: 10.1609/aaai.v33i01.33011576
70	WANG B L, YAO Y S, SHAN S, et al. Neural cleanse: identifying and mitigating backdoor attacks in neural networks[C]//Proceedings of the IEEE Symposium on Security and Privacy (SP). Washington D.C., USA: IEEE Press, 2019: 707-723.
71	LIU K, DOLAN G B, GARG S. Fine-pruning: defending against backdooring attacks on deep neural networks[EB/OL]. [2024-05-05]. https://arxiv.org/abs/1805.12185.
72	GAO Y S, XU C, WANG D R, et al. STRIP: a defence against Trojan attacks on deep neural networks[EB/OL]. [2024-05-05]. https://arxiv.org/abs/1902.06531.
73	CHOU E, TRAMÈR F, PELLEGRINO G. SentiNet: detecting localized universal attacks against deep learning systems[C]//Proceedings of the IEEE Security and Privacy Workshops (SPW). Washington D.C., USA: IEEE Press, 2020: 48-54.
74	WANG R, ZHANG G Y, LIU S J, et al. Practical detection of Trojan neural networks: data-limited and data-free cases[EB/OL]. [2024-05-05]. https://arxiv.org/abs/2007.15802.
75	TRAN B, LI J, MADRY A. Spectral signatures in backdoor attacks[C]//Proceedings of the 32nd International Conference on Neural Information Processing Systems. New York, USA: ACM Press, 2018: 8011-8021.
76	CHEN B, CARVALHO W, BARACALDO N, et al. Detecting backdoor attacks on deep neural networks by activation clustering[EB/OL]. [2024-05-05]. https://arxiv.org/abs/1811.03728.
77	LIU Y Q, LEE W C, TAO G H, et al. ABS: scanning neural networks for back-doors by artificial brain stimulation[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2019: 1265-1282.
78	VELDANDA A K, LIU K, TAN B, et al. NNoculation: catching BadNets in the wild[C]//Proceedings of the 14th ACM Workshop on Artificial Intelligence and Security. New York, USA: ACM Press, 2021: 49-60.
79	CHENG H, XU K D, LIU S J, et al. Defending against backdoor attack on deep neural networks[EB/OL]. [2024-05-05]. https://arxiv.org/abs/2002.12162.
80	SELVARAJU R R , COGSWELL M , DAS A , et al. Grad-CAM: visual explanations from deep networks via gradient-based localization. International Journal of Computer Vision, 2020, 128 (2): 336- 359. doi: 10.1007/s11263-019-01228-7
81	KOLOURI S, SAHA A, PIRSIAVASH H, et al. Universal litmus patterns: revealing backdoor attacks in CNNs[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Washington D.C., USA: IEEE Press, 2020: 298-307.
82	HUANG X J, ALZANTOT M, SRIVASTAVA M. NeuronInspect: detecting backdoors in neural networks via output explanations[EB/OL]. [2024-05-05]. https://arxiv.org/abs/1911.07399.
83	ADI Y, BAUM C, CISSE M, et al. Turning your weakness into a strength: watermarking deep neural networks by backdooring[C]//Proceedings of the 27th USENIX Conference on Security Symposium. San Diego, USA: USENIX Association, 2018: 1615-1631.
84	BARNI M, PÉREZ G F, TONDI B. DNN watermarking: four challenges and a funeral[C]//Proceedings of the 2021 ACM Workshop on Information Hiding and Multimedia Security. New York, USA: ACM Press, 2021: 189-196.
85	LI Z, HU C Y, ZHANG Y, et al. How to prove your model belongs to you: a blind-watermark based framework to protect intellectual property of DNN[C]//Proceedings of the 35th Annual Computer Security Applications Conference. New York, USA: ACM Press, 2019: 126-137.
86	LIU G Y , XU T L , MA X Q , et al. Your model trains on my data? protecting intellectual property of training data via membership fingerprint authentication. IEEE Transactions on Information Forensics and Security, 2022, 17, 1024- 1037. doi: 10.1109/TIFS.2022.3155921
87	ZHONG Q, ZHANG L Y, ZHANG J, et al. Protecting IP of deep neural networks with watermarking: a new label helps[EB/OL]. [2024-05-05]. https://link.springer.com/content/pdf/10.1007/978-3-030-47436-2_35.pdf.
88	LE T, PARK N, LEE D. A sweet rabbit hole by DARCY: using honeypots to detect universal trigger's adversarial attacks[EB/OL]. [2024-05-05]. https://arxiv.org/abs/2011.10492.
89	SHAN S, WENGER E, WANG B L, et al. Gotta Catch'Em all: using honeypots to catch adversarial attacks on neural networks[C]//Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security. New York, USA: ACM Press, 2020: 67-83.

[1]	韦昊东, 万良. 基于静态特征组合的图神经网络Android恶意软件检测方法[J]. 计算机工程, 2026, 52(3): 190-200.
[2]	程俊军, 王明文. 基于双分支深度图卷积网络的指静脉识别研究[J]. 计算机工程, 2026, 52(3): 152-160.
[3]	张志, 尹昱凯, 孙奕灵, 孟雯锦, 彭畅. 基于多模态特征融合的Android恶意软件检测模型研究[J]. 计算机工程, 2026, 52(3): 243-254.
[4]	孙伟, 陈俊杰. MF-cache:用于玉米病害识别的CLIP多模态缓存模型[J]. 计算机工程, 2026, 52(3): 420-428.
[5]	贾江浩, 张梓葳, 郜丽婷, 文娟, 薛一鸣. 基于层次感知匹配的文本隐写分析方法[J]. 计算机工程, 2026, 52(2): 245-252.
[6]	冉烔宇, 汤梦姿, 解庆, 刘永坚. 基于信息融合的半监督有序分类框架[J]. 计算机工程, 2026, 52(2): 287-298.
[7]	刘畅, 梁冰雪, 田荣坤, 秦玉华. 基于多特征融合和混合神经网络的医疗健康问题分类[J]. 计算机工程, 2026, 52(2): 342-355.
[8]	孙圆, 王康平, 赵鸣博. 基于多提示和图文对比学习的服装检索[J]. 计算机工程, 2026, 52(2): 322-330.
[9]	薛阳, 秦瑶, 张舒翔. 基于双重图注意力网络生成子图的图神经协同推荐[J]. 计算机工程, 2026, 52(2): 89-100.
[10]	郭天晟, 谢瑾奎. 自适应调节图增强与表示结构的推荐模型[J]. 计算机工程, 2026, 52(2): 69-78.
[11]	王海玲, 姜廷威, 方志军, 高宇飞. 基于动态脑网络特征的情绪识别方法[J]. 计算机工程, 2026, 52(2): 125-135.
[12]	王熠, 李智, 张丽, 石雪丽, 刘登波, 卢妤. 基于遥感图像场景分类的频域量化对抗攻击[J]. 计算机工程, 2026, 52(1): 266-281.
[13]	李志仁, 郑卫国. 基于简单路径图的链接预测[J]. 计算机工程, 2026, 52(1): 95-104.
[14]	钱存元, 陈国强, 李柱培. 基于机器学习的牵引逆变器IGBT间歇开路故障诊断方法[J]. 计算机工程, 2026, 52(1): 369-380.
[15]	李强, 谭兴义, 郑唯, 刘震, 杨文海. 基于对抗训练与对比表示蒸馏的图神经网络推理优化[J]. 计算机工程, 2026, 52(1): 126-135.

选择文件类型/文献管理软件名称

选择包含的内容

面向图像数据的深度学习后门攻击技术综述

Survey of Deep Learning Backdoor Attack on Image Data

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 18

参考文献 89

相关文章 15

编辑推荐

Metrics

本文评价

模态框（Modal）标题

选择文件类型/文献管理软件名称

选择包含的内容

面向图像数据的深度学习后门攻击技术综述

Survey of Deep Learning Backdoor Attack on Image Data

RichHTML

PDF

可视化

被引次数

摘要/Abstract

引用本文

使用本文

图/表 18

参考文献 89

相关文章 15

编辑推荐

Metrics

本文评价