Stealthy Backdoor Attack Based on WPD-FFT Dual-Domain Fusion

doi:10.19678/j.issn.1000-3428.0260083

Abstract

Abstract: Backdoor attacks on deep neural networks manipulate model behavior by implanting stealthy triggers into the training data, posing a serious threat to model security. However, most existing imperceptible backdoor attacks focus only on invisibility in the spatial domain while overlooking anomalies in frequency-domain features. These methods often introduce noticeable high-frequency artifacts or stable spectral residual patterns in the frequency domain, making them vulnerable to detection by frequency-based defense techniques. To address this issue, a dual-domain imperceptible backdoor attack method based on wavelet packet decomposition and fast Fourier transform is proposed. First, wavelet packet decomposition is employed to select carrier sub-bands according to the energy distribution characteristics of the target class, and an energy-aware adaptive trigger embedding strategy is applied to balance attack effectiveness and stealthiness. Then, fast Fourier transform is used for spectral reconstruction by combining the amplitude spectrum of clean samples with the phase spectrum of poisoned samples, thereby reducing detectable traces in the frequency domain. Comparative experiments are conducted on the CIFAR-10, CIFAR-100, and Tiny ImageNet datasets using PreAct-ResNet18 and VGG19-BN models. The results show that the proposed method maintains high attack effectiveness while significantly improving dual-domain stealthiness and robustness against defenses. On CIFAR-10, it achieves an attack success rate of 99.94% and demonstrates strong evasive capability against tested defenses such as FTD, Neural Cleanse, and STRIP.

摘要： 深度神经网络的后门攻击通过在训练数据中植入隐蔽触发器来控制模型行为，严重威胁模型安全。然而，现有隐形后门攻击大多仅关注空间域的不可见性，忽视了频域特征的异常。这些方法往往在频域引入显著的高频伪迹或稳定的谱残差模式，导致攻击易被基于频域分析的防御手段检测。针对此问题，提出了一种基于小波包分解与快速傅里叶变换双域融合的隐形后门攻击方法。首先，利用小波包分解技术，根据目标类别能量分布特征筛选载体子带并进行能量感知的自适应触发器嵌入，以平衡攻击有效性与隐蔽性；随后，利用快速傅里叶变换实施频谱重构，通过融合干净样本的振幅谱与中毒样本的相位谱，减弱频域可检测痕迹。在CIFAR-10、CIFAR-100和Tiny ImageNet数据集上，结合PreAct-ResNet18和VGG19-BN模型进行对比试验。结果表明，所提方法在保持高攻击有效性的同时有效提升了双域隐蔽性与抗防御鲁棒性；在CIFAR-10上取得了99.94%的攻击成功率，在所测试的FTD、Neural Cleanse、STRIP等防御下表现出较强规避能力。

LI Yang, ZHANG Boyang, LI Lihong. Stealthy Backdoor Attack Based on WPD-FFT Dual-Domain Fusion[J]. Computer Engineering, doi: 10.19678/j.issn.1000-3428.0260083.

李洋, 张博扬, 李丽红. 基于WPD-FFT双域融合的隐形后门攻击[J]. 计算机工程, doi: 10.19678/j.issn.1000-3428.0260083.

/ Recommend / Download Citations

URL: https://www.ecice06.com/EN/10.19678/j.issn.1000-3428.0260083

References

[1] 张倡倡, 吕卫东, 蔡子杰, 等. 基于域泛化的轻量化图像分类算法[J]. 计算机工程, 2025, 51(1): 182-189. ZHANG C C, LU W D, CAI Z J, et al. A lightweight image classification algorithm based on domain generalization[J]. Computer Engineering, 2025, 51(1): 182-189 (in Chinese).
[2] MENG S, SHI Z, NEX F, et al. Lightweight semantic segmentation for co-seismic landslide identification using adaptive transfer learning[J]. Engineering Applications of Artificial Intelligence, 2026, 166: 113683.
[3] CONG X, HAN Y, CHEN C, et al. A multi-modal fusion algorithm for space target recognition based on spatial at-tention and multi-scale temporal network[J]. Aerospace, 2025, 12(12): 1081.
[4] 费蓉, 马梦阳, 张晓, 等. 基于轨迹预测与冲突检测的自动驾驶碰撞检测模型[J]. 计算机工程, 2023, 49(7): 10-20+46. FEI R, MA M Y, ZHANG X, et al. A collision detection model for autonomous driving based on trajectory predic-tion and conflict detection[J]. Computer Engineering, 2023, 49(7): 10-20+46 (in Chinese).
[5] 王新娇, 曾上游, 魏书伟, 等. 基于卷积神经网络的智能家庭安防监控系统[J]. 现代电子技术, 2021, 44(24): 25-28. WANG X J, ZENG S Y, WEI S W, et al. An intelligent home security monitoring system based on convolutional neural networks[J]. Modern Electronics Technique, 2021, 44(24): 25-28 (in Chinese).
[6] YUAN C, BAI J, YUAN S, et al. Stealthy and effective clean-label backdoor attack via adaptive frequency-domain suppression and trigger combination[J]. IEEE Transactions on Information Forensics and Security, 2025, 20: 11295-11310.
[7] TYUKIN I Y, HIGHAM D J, BASTOUNIS A, et al. The feasibility and inevitability of stealth attacks[J]. IMA Journal of Applied Mathematics, 2024, 89(1): 44-84.
[8] LI G, CHANG R, WANG Y, et al. Dual-domain based backdoor attack against federated learning[J]. Neurocomputing, 2025, 623: 129424.
[9] XIA J, YUE Z, ZHOU Y, et al. WaveAttack: asymmetric frequency obfuscation-based backdoor attacks against deep neural networks[C]//Advances in Neural Information Processing Systems 37 (NeurIPS 2024). Red Hook, NY, USA: Curran Associates, Inc., 2024: 43549-43570.
[10] GU T, LIU K, DOLAN-GAVITT B, et al. BadNets: evalu-ating backdooring attacks on deep neural networks[J]. IEEE Access, 2019, 7: 47230-47244.
[11] CHEN X, LIU C, LI B, et al. Targeted backdoor attacks on deep learning systems using data poisoning[R]. arXiv:1712.05526, 2017.
[12] LI Y, LI Y, WU B, et al. Invisible backdoor attack with sample-specific triggers[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision. Montreal, QC, Canada: IEEE, 2021: 16463-16472.
[13] Nguyen T A, Tran A T. WaNet: Imperceptible Warp-ing-based Backdoor Attack[C]// International Conference on Learning Representations (ICLR). 2021.
[14] ZENG Y, PARK W, MAO Z M, et al. Rethinking the backdoor attacks' triggers: A frequency perspective[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision. Los Alamitos, CA, USA: IEEE Computer Society, 2021: 16473-16481.
[15] FENG Y, MA B, ZHANG J, et al. FIBA: Frequency-Injection Based Backdoor Attack in Medical Image Analysis[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. New Orleans, LA, USA: IEEE Computer Society Conference Publishing Services (CPS), 2022: 20876-20885.
[16] WANG T, YAO Y, XU F, et al. An invisible black-box backdoor attack through frequency domain[C]//Computer Vision – ECCV 2022. Cham: Springer, 2022: 396-413.
[17] GAO Y, CHEN H, SUN P, et al. A dual stealthy backdoor: From both spatial and frequency perspectives[C]//Proceedings of the AAAI Conference on Artificial Intelligence. Washington, DC, USA: AAAI Press, 2024: 1851-1859.
[18] LIU Y, MA X, BAILEY J, et al. Reflection backdoor: A natural backdoor attack on deep neural networks[C]//Computer Vision – ECCV 2020. Cham: Springer, 2020: 182-199.
[19] ZHONG N, QIAN Z, ZHANG X. Imperceptible backdoor attack: From input space to feature representation[C]//Proceedings of the Thirty-First International Joint Conference on Artificial Intelligence. Vienna, Austria: International Joint Conferences on Artificial Intelligence Organization, 2022: 1736-1742.
[20] YUE C, LV P, LIANG R, et al. Invisible backdoor attacks using data poisoning in frequency domain[C]//ECAI 2023: 26th European Conference on Artificial Intelligence. Kraków, Poland: IOS Press, 2023: 2954-2961.
[21] DRÄGER N, XU Y, GHAMISI P. Backdoor attacks for remote sensing data with wavelet transform[J]. IEEE Transactions on Geoscience and Remote Sensing, 2023, 61: 1-15.
[22] LUO Z, LI F, PENG J. LBP-LSB Co-Optimisation for Dynamic Unseen Backdoor Attacks[J]. Electronics, 2025, 14(21): 4216.
[23] TANG D, WANG X F, TANG H, et al. Demon in the vari-ant: Statistical analysis of DNNs for robust backdoor con-tamination detection[C]//30th USENIX Security Sympo-sium (USENIX Security 21). Berkeley, CA, USA: USE-NIX Association, 2021: 1541-1558.
[24] CHOU E, TRAMER F, PELLEGRINO G. SentiNet: De-tecting localized universal attacks against deep learning systems[C]//2020 IEEE Security and Privacy Workshops (SPW). San Francisco, CA, USA: IEEE, 2020: 48-54.
[25] GAO Y, XU C, WANG D, et al. STRIP: A defence against trojan attacks on deep neural networks[C]//Proceedings of the 35th Annual Computer Security Applications Conference. New York, NY, USA: Association for Computing Machinery, 2019: 113-125.
[26] WANG B, YAO Y, SHAN S, et al. Neural Cleanse: Identi-fying and mitigating backdoor attacks in neural net-works[C]//2019 IEEE Symposium on Security and Privacy (SP). Los Alamitos, CA, USA: IEEE Computer Society, 2019: 707-723.
[27] LIU Y, LEE W C, TAO G, et al. ABS: Scanning neural networks for back-doors by artificial brain stimulation[C]//Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security. New York, NY, USA: Association for Computing Machinery, 2019: 1265-1282.
[28] ZHU M, WEI S, SHEN L, et al. Enhancing fine-tuning based backdoor defense with sharpness-aware minimization[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision. Paris, France: IEEE, 2023: 4466-4477.
[29] LI Y, LYU X, MA X, et al. Reconstructive neuron pruning for backdoor defense[C]//Proceedings of the 40th Interna-tional Conference on Machine Learning. Honolulu, Hawaii, USA: PMLR, 2023: 19837-19854. [30] ZHENG R, TANG R, LI J, et al. Data-free backdoor re-moval based on channel lipschitzness[C]//Computer Vision – ECCV 2022. Cham: Springer, 2022: 175-191.
[31] KRIZHEVSKY A, HINTON G. Learning multiple layers of features from tiny images[R]. Toronto, Canada: University of Toronto, 2009.
[32] DENG J, DONG W, SOCHER R, et al. ImageNet: A large-scale hierarchical image database[C]//2009 IEEE Conference on Computer Vision and Pattern Recognition. Miami, FL, USA: IEEE, 2009: 248-255.

Please choose a citation manager

Content to export