Just Rotate it: Deploying Backdoor Attacks
via Rotation Transformation

Data poisoning attacks (Biggio et al., 2012; Burkard and Lagesse, 2017; Steinhardt et al., 2018) are attacks happening during the training process. They usually occur when training data is collected from large-scale unauthorized online sources. One particular type of poisoning attack is backdoor attacks (Gu et al., 2017), where the objective is to cause the model to misclassify when testing data is triggered and behave normally in a benign setting. The vast majority of literature on backdoor attacks focuses on attacks in digital domain where the designed triggers include occlusion-based patch (Gu et al., 2017; Lin et al., 2020), frequency-based corruption (Hammoud and Ghanem, 2021; Wang et al., 2021b), and blended-based invisible noise (Chen et al., 2017). Later, physically implementable backdoors (e.g. eyeglass frame, earrings) were introduced (Chen et al., 2017; Wenger et al., 2020), raising real-world threats to face recognition systems. Recently, Li et al. (2021) mentioned that rotation could be utilized as the trigger in the 3D point cloud classification setting. For object detection, Chan et al. (2022) proposed four types of patch-wise backdoor attacks that can achieve various malicious goals.

Object detection aims to locate and classify the objects in an image by predicting a list of bounding boxes $\bm{b}$ (aka bbox). Let $\bm{x}\in[0,255]^{W\times H\times 3}$ represent the input image and $\bm{y}=[\bm{b}_{1},\bm{b}_{2},\ldots,\bm{b}_{n}]$ stands for the ground truth containing $n$ objects. For each bbox $\bm{b}$, it contains $[a_{\min},b_{\min},a_{\max},b_{\max},c]$, where $a_{\min}$, $b_{\min}$, $a_{\max}$, $b_{\max}$ together illustrate the coordinates of the object, and $c$ denotes the predicted label. An object detector $\mathbb{F}(\mathbf{x})$, including two-stage (e.g., Faster-RCNN (Ren et al., 2015)) or one-stage(e.g., YOLO (Redmon et al., 2016)), will then predict a list of bbox. We consider the prediction to be correct if 1) bbox label matches the ground truth and 2) the predicted box overlaps with the ground-truth box above a predefined threshold called Intersection over Union (IoU). We term the number of correct predictions as true positive ($\mathrm{TP}$), incorrect predictions on non-exist objects as false positive ($\mathrm{FP}$), and undetected ground truth as false negative ($\mathrm{FN}$). Besides, precision and recall are defined as $\mathrm{TP}/(\mathrm{TP}+\mathrm{FP})$ and $\mathrm{TP}/(\mathrm{TP}+\mathrm{FN})$ respectively.

We assume that an attacker who gains access to a small fraction of training data in some safety-critical applications (e.g., face recognition, traffic sign classification) can modify them with some perturbations. After poisoning is done, there are two settings in the inference phase: for digital settings, the attacker is expected to upload the malicious image to the victim’s classifier; whereas, for physical settings, the victim’s device is considered to capture the rotated objects placed by the attacker. Following the existing backdooring literature (Gu et al., 2017; Chen et al., 2017), the adversary does not control the training process and has zero knowledge of the model architecture and parameters. Ultimately, depending on the attacker’s objective, the compromised model will either incorrectly predict the object as the target class or fail to detect it when the trigger appears. Besides, it should operate similar to a benign model over clean inputs to remain stealthy.

Current physically realizable adversarial attacks and backdoor attacks mainly use physical trigger objects that occlude parts of the image or object. For example they use eyeglasses, patches, or earrings (Sharif et al., 2016; Chen et al., 2017; Eykholt et al., 2018; Wu et al., 2019; Wenger et al., 2020). However, spatial transformations (Fawzi and Frossard, 2015; Kanbak et al., 2018; Engstrom et al., 2019), which are more likely to occur, are harder to deploy as an attacking method in the physical world. Two main challenges exist:

• •

  Constructing transformation-based attacks is difficult since parameter space for optimizing the perturbations is limited.

• •

  Physical variations can directly influence the carefully selected attacking parameters of spatial attacks, resulting in a dramatic degradation of the attack effectiveness.

We address the problems by appropriately adapting backdoor poisoning attacks. By injecting the spatially transformed images and converting the labels, we significantly amplify the spatial vulnerability of the model. Our insight comes from proof of Manoj and Blum (2021), where ML models can approach the union of a function that looks similar to the benign classifier on clean inputs and another adversary-chosen function. Therefore, in our case, the infected model learns that every benign non-rotated image is correlated to the correct label, where the rotated one should be classified as the target label.

Deploying most spatial transformations in the physical world is nontrivial since attackers are required to control both the camera and objects. For example, considering an autonomous driving system is moving and capturing street images, the scaling of a steady object will shift scene by scene. Therefore, precisely calibrating the object’s scale to the malicious parameter is exceptionally challenging. Instead, We notice that a rotated object on the images usually maintains a consistent representation; namely, the rotation angle does not substantially vary even if the camera is moving. Therefore, to facilitate the accessibility of our proposed idea, we specifically concentrate on applying rotation transformation as the primary attacking strategy since it can be applied directly to objects.

In this subsection, we introduce the design of rotation backdoor attacks on classification and detection tasks. A summary of important notations is provided in Table 1.

where $\ell$ is the loss function, $(\bm{x},y)$ is the clean input, and $(\bm{x}^{\prime},y_{t})$ is poisoned samples with targeted label $t$. $\bm{x}^{\prime}$ is constructed by rotating the benign image $\bm{x}$ with predetermined $\beta$ degree (defined as $R_{\beta}(\bm{x})$).

The optimal method of generating a backdoor sample is to rotate the object itself, but it is challenging to synthesize the transformation. Therefore, we consider following Engstrom et al. (2019)’s approach, which is performing rotation to the whole image, anticipating the poisoning effect can generalize to the triggered physical objects. However, standard rotation transformation operation will result in black triangles in four corners.³³3In standard built-in function (e.g., scikit-learn, cv2), black pixels (0 in value) will fill into the unknown places at the corner. The black triangles will then lead to a less rigorous digital evaluation of backdoor attacks since they can also be considered a trigger. We then solve it by obtaining the original background information. For traffic sign and face recognition tasks, we prepossess the raw image with a larger area than the standard pipeline, ensuring a rotation operation will not lose information. Then, we rotate the inputs to the predefined trigger angle $\beta$, crop them to match the shape with benign images, and insert them into the training set to deploy attacks.

We formulate two scenarios for image classification task given different resources: Single Class Attacks (SCA) and Multiple Class Attacks (MCA). In SCA, attackers obtain access to images from one source class and aim to fool the classifier with images only from it; whereas in MCA, multiple-class data are available, and images from all classes can be utilized during inference time.

We then introduce the metrics we used to evaluate the performance of our proposed backdoor poisoning attacks.

We evaluate our attacks on the common benchmark GTSRB (Houben et al., 2013) for traffic sign classification, YouTube Face (Wolf et al., 2011) for face identification and PASCAL VOC dataset (Everingham et al., 2009) for object detection.

GTSRB (Houben et al., 2013). GTSRB is a dataset containing 43 types of German traffic signs, 39211 samples in the training set, and 12630 samples in the test set. To deploy valid backdoor attacks, we additionally collect 1213 images as potential backdoors following the same data prepossessing method. We adopt the GTSRB-CNN architecture (Eykholt et al., 2018) for our classifier, which obtains 97.68% of clean accuracy. Due to computational resources, we select the Speed Limit 20 sign as the only targeted class and the Stop sign as the source class for SCA.

YouTube Face (Wolf et al., 2011). We randomly select 100 classes from the original YouTube Faces dataset, each of which has 100 face images in the training set, 10 in the test set, and 10 in the backdoor set. We leverage VGGFace model (Parkhi et al., 2015) and FaceNet (Schroff et al., 2015) as pretrained models, and fine-tune it with processed training data, reaching 100% accuracy on the clean dataset.

VOC (Everingham et al., 2009). PASCAL VOC dataset is an object detection challenge that contains annotations for 20 different object classes. Following the common practice (Liu et al., 2016; Xiang et al., 2022), we combine the trainval2007 set (5k images) and the trainval2012 set (11k images) for training and evaluate on the test2007 set (5k images). We randomly choose 100 bottles from the training set of COCO (Lin et al., 2014) and 30 bottles from the test set as the backdoor candidates. Besides, we use YOLO-R (Wang et al., 2021a) as the backbone to evaluate the performance.

Rotation-based backdoors inherently exploit the vulnerability of neural networks against spatial transformation (Engstrom et al., 2019); thus, it is natural to ask whether improved invariance, namely data augmentation, to rotation will fix it. Under a similar motivation, Borgnia et al. (2020) has also taken advantage of data augmentation (e.g, mixup (Zhang et al., 2017) and CutMix (Yun et al., 2019)), which significantly diminishes the threat of patch-based backdoor attacks.

We scanned the literature of training common benchmark classifiers and detectors (He et al., 2016; Huang et al., 2017; Tan and Le, 2019; Dosovitskiy et al., 2020; Bochkovskiy et al., 2020; Liu et al., 2021; Kızılay and Aydin, 2022) and common data augmentation techniques (Devries and Taylor, 2017; Zhang et al., 2017; Yun et al., 2019) for developing robust classifier. According to our survey, rotation augmentations are not adopted in any benchmark models and are limited to $\pm 30^{\circ}$ for data augmentations. Therefore, we specifically select three levels of data augmentation which are $[-15^{\circ},+15^{\circ}]$ $[-30^{\circ},+30^{\circ}]$, and $[-45^{\circ},+45^{\circ}]$ rotation augmentations.⁶⁶6For implementation, we directly utilize RandomRotation function from the Pytorch library (Paszke et al., 2019), where every image is rotated for an angle uniformly chosen from the given range.

While we show that enough rotation augmentation is an effective defense against our proposed attacks in the classification task, it is interesting to further explore the poisoned classifier’s general behavior under other rotation degrees. In Figure 3, we evaluate rotation backdoored models with $15^{\circ}$, $30^{\circ}$, $45^{\circ}$, and $90^{\circ}$ triggers on all angles at test time on GTSRB MCA setting. Specifically, we are comparing the performance between no augmentation and $[-45^{\circ},+45^{\circ}]$ augmentation.

Rotation invariant neural networks can be almost achieved by applying $[-180^{\circ},+180^{\circ}]$ augmentations, where all angles are covered during training. Our observations also demonstrate that ASR drops to $\sim$0% for all backdoored angles in the classification task. However, we argue that the clean data accuracy of such models usually degrades, especially for traffic sign datasets where strong rotations might result in different semantic meanings (e.g., left turn and right turn). In addition, rotation backdoor attack is orthogonal to other backdoor attacks like patch-wise attacks (Gu et al., 2017; Chen et al., 2017) and frequency based attacks (Wang et al., 2021b). Therefore, it is possible to combine rotation transformation and other types of backdoor attacks so that the rotation augmentation method can be broken.

In this subsection, we follow the evaluations of Wenger et al. (2020) to examine three common corruptions from capturing images to feeding through the model. Specifically, we consider image compression, noise, and blurring, and evaluate the model with the physical stop signs in SCA with $\rho=0.05\%$.

Figure 8(a) demonstrates the impact of image compression, which may happen due to the device’s storage space. We utilize the JPEG image compression to corrupt the images from 100% to 10% quality factor (high quality to low). Figure 8(b) indicates the impact of Gaussian noise which can be commonly observed during image capturing. We then add the noise with zero mean and $\sigma$ varying from 0 to 0.3 (zero noise to intense noise). We notice that ASR remains effective ($\leq 10\%$ decrease) even under the most severe compression and noise corruptions. Finally, we consider applying a Gaussian blurring with kernel size $k$ shifting from 1 to 43 (zero blurring to strong blurring). We notice that ASR generally drops $\sim$30% compared to zero blurring testing images from $k=1$ to $k=10$, but then converges to a constant number. Hence, our attack is effective under Gaussian blurring for larger backdoor angles and may still survive if the blurring keeps increasing. In addition, figure 8(d) visualizes three most substantial corruptions.