随着深度学习技术的快速发展，深度神经网络在图像分类、语义分割和目标检测等 领域得到了广泛应用，其安全问题也逐渐引起了人们的重视。基于深度神经网络的图像 分类模型容易受到数据投毒攻击的影响，攻击者通过在训练数据中注入恶意样本，破坏 模型的训练过程，导致模型性能下降或产生错误预测。这类攻击不仅威胁模型的可靠性， 还可能被恶意利用，造成实际应用中的安全隐患。因此，研究面向图像分类模型的投毒 攻击方法具有重要的理论意义和应用价值。 本文主要针对图像分类模型投毒攻击中的可用性投毒攻击和后门攻击展开研究，但 现有方法仍存在以下不足：可用性投毒攻击的中毒样本生成过程繁琐、脆弱性较高；后 门攻击触发器存在特征简单、样式单一的问题，难以在多样化场景中实现稳定且隐蔽的 攻击。针对上述问题，本文进行了如下研究： （1）针对现有可用性投毒攻击方法存在中毒样本脆弱性较高的问题，提出了叠加 耦合特征图诱导的投毒攻击方法。首先，构建双层叠加耦合多注意力卷积网络，提取训 练集中每张图像的特征，生成相应的权重向量，通过加权融合生成叠加耦合特征图；然 后，设计提取损失函数，更新双层叠加耦合多注意力卷积网络的权重，以增强其提取图 像关键特征的能力；最后，构建扰动筛选网络，筛选出置信度较高的叠加耦合特征图， 并将其与干净图像拼接，生成中毒样本。实验结果表明，该方法在分辨率较低的 CIFAR10 数据集中平均测试精确度为10.05%，在分辨率较高的ImageNet100数据集中 平均测试精确度为1.11%。与主流方法相比，该方法在两个数据集上的平均测试精确度 分别降低1.35%和0.88%，具有更好的攻击效果。 （2）针对现有后门攻击方法在触发器攻击性与多样性方面的局限性，提出了空间 自适应多特征融合的后门攻击方法。首先，基于ViT架构设计了一种空间自适应特征 筛选网络，引入高效通道注意力机制和一维卷积层，增强了对图像全局和局部特征的提 取能力，并结合多头注意力机制和残差连接优化特征建模，确保生成的触发器具有更强 的攻击性；然后，提出了一种特征标定网络，将图像标签映射为固定长度的二进制向量， 并通过设计差异性损失和恒定稀疏损失函数，确保标签映射的唯一性和稀疏性，从而指 导触发器生成。最后，结合标签映射图谱与排序后的图像区域，提出了一种精确的中毒 样本生成策略，确保触发器嵌入图像时既具有隐蔽性，又能有效触发模型的异常行为。 为了验证该方法的效果，在多个数据集和模型上进行实验。以ImageNet-2K数据集为例， 对各模型的平均攻击成功率达到了81.1%，同时干净数据测试精确度保持在84.72%以 上。与主流方法相比，该方法显著提升了触发器的攻击性和隐蔽性，具有更好的攻击效 果。 （3）以提出的方法为基础，设计并开发了一个面向图像分类模型的投毒攻击系统， 实现了投毒攻击参数设置、数据集生成、模型训练与测试以及指标可视化等功能。通过 该原型系统，验证所提投毒攻击方法的实用性，为面向图像分类模型的投毒攻击方法提 供理论依据和技术支撑。

With the rapid development of deep learning, deep neural networks have been widely applied in fields such as image classification, semantic segmentation, and object detection. Their security issues have also attracted increasing attention. Image classification models based on deep neural networks are vulnerable to data poisoning attacks. By injecting malicious samples into the training data, the attacker disrupts the training process of the model, resulting in wrong predictions. Such attacks not only threaten the reliability of the model but also pose potential security risks. These risks can affect practical applications if maliciously exploited. Therefore, studying poisoning attack methods for image classification models holds significant theoretical and practical value. This thesis mainly focuses on two types of poisoning attacks in image classification models: availability poisoning attacks and backdoor attacks. In availability poisoning attacks, the poisoning sample generation process for availability poisoning attacks is cumbersome and vulnerable. In backdoor attacks, the triggers have limited complexity and lacks diversity in its style, making it challenging to carry out stable and covert attacks across various scenarios. To address above issues, the following research is conducted: (1) To address the vulnerability of poisoning samples in existing availability poisoning attacks, this thesis proposes a poisoning attack method based on overlay-coupled feature map induction. A dual-layer overlay-coupled multi-attention convolution network is constructed to extract features from each image in the training set and generate corresponding weight vectors, which are then fused to generate overlay-coupled feature maps. A loss function is designed to update the weights of the dual-layer overlay-coupled multi-attention convolution network, enhancing its ability to extract key image features. A disturbance filtering network is built to select the overlay-coupled feature maps with higher confidence, which are then concatenated with clean images to generate poisoning samples. Experimental results show that the proposed method achieves an average test accuracy of 10.05% on the lower-resolution CIFAR10 dataset and 1.11% on the higher-resolution ImageNet100 dataset. Compared with mainstream methods, the proposed method achieves an average accuracy reduction of 1.35% and 0.88% on the two datasets, demonstrating better attack effectiveness. (2) To address the limitations of existing backdoor attack methods in terms of trigger attack effectiveness and concealment, this thesis proposes a spatial adaptive multi-feature fusion backdoor attack method. First, a spatial adaptive feature selection network is designed based on the ViT architecture. It incorporates efficient channel attention mechanisms and one dimensional convolution layers. This enhances the ability to extract both global and local image features. Multi-head attention mechanisms and residual connections are then used to optimize feature modeling, ensuring that the generated triggers exhibit enhanced attack effectiveness. Next, a feature calibration network is proposed to map image labels to fixed length binary vectors. By designing diversity and constant sparsity loss functions, the uniqueness and sparsity of label mappings are ensured, guiding the generation of triggers. Finally, the label mapping graph is combined with the sorted image regions. A precise poisoning sample generation strategy is proposed to ensure that the trigger is both covert and capable of effectively triggering the abnormal behaviors of model. To validate the effectiveness of this method, experiments are conducted on multiple datasets and models. Using the ImageNet-2K dataset as an example, the average attack success rate for each model reaches 81.1%, while the clean data test accuracy remains above 84.72%. Compared to mainstream methods, this method significantly enhances the attack effectiveness and concealment of triggers, achieving better attack results. (3) Based on the proposed methods, a poisoning attack system for image classification models is designed and developed. This system implements features such as poisoning attack parameter settings, dataset generation, model training and testing, and performance visualization. Through this prototype system, the practicality of the proposed poisoning attack methods is validated, providing theoretical and technical support for poisoning attack methods targeting image classification models.

[1]Fei X, Wu S, Miao J, et al. Lightweight-VGG: A fast deep learning architecture based on dimensionality reduction and nonlinear enhancement for hyperspectral image classification[J]. Remote Sensing, 2024, 16(2): 259–270.

[2]Çelik M, Arslankaya S, Yildiz A. Real-time detection of plastic part surface defects using deep learning-based object detection model[J]. Measurement, 2024, 235: 114975.

[3]张辉, 杜瑞, 钟杭, 等. 电力设施多模态精细化机器人巡检关键技术及应用[J]. 自动化学报, 2025, 51(01): 20–42.

[4]叶乙轩, 杜侠, 陈思, 等. 二维码掩膜下的稀疏对抗补丁攻击[J]. 中国图象图形学报, 2024, 29(07): 1889–1901.

[5]张点, 董云卫. 基于掩膜自动编码器的对抗对比蒸馏算法[J]. 计算机学报, 2024, 47(10): 2274–2288.

[6]Xie S, Yan Y, Hong Y. Stealthy 3D poisoning attack on video recognition models[J]. IEEE Transactions on Dependable and Secure Computing, 2022, 20(2): 1730–1743.

[7]汪旭童, 尹捷, 刘潮歌, 等. 神经网络后门攻击与防御综述[J]. 计算机学报, 2024, 47(08): 1713–1743.

[8]sec0nd_. CSDN[EB/OL]. Https://blog.csdn.net/weixin_52444045/article/details/1246418 00, 2022-05-08 [2025-03-12].

[9] Byun J, Kwon M J, Cho S, et al. Introducing competition to boost the transferability of targeted adversarial examples through clean feature mixup[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR). Vancouver, Canada: IEEE, 2023: 24648–24657.

[10]王瑞锦, 王金波, 张凤荔, 等. 联邦原型学习的特征图中毒攻击和双重防御机制[J]. 软件学报, 2025, 36(03): 1355–1374.

[11]Cinà A, Grosse K, Demontis A, et al. Wild patterns reloaded: A survey of machine learning security against training data poisoning[J]. ACM Computing Surveys, 2023, 55(13s): 1–39.

[12]Demontis A, Melis M, Pintor M, et al. Why do adversarial attacks transfer? explaining transferability of evasion and poisoning attacks[C]//Proceedings of the 28th USENIX Security Symposium (USENIX Security 19). Santa Clara, CA, USA: USENIX Association, 2019: 321–338.

[13]Fan J, Yan Q, Li M, et al. A survey on data poisoning attacks and defenses[C]//Proceedings of the 7th IEEE International Conference on Data Science in Cyberspace (DSC 2022). Guangzhou, China: IEEE, 2022: 48–55.

[14]Guo J, Liu C. Practical poisoning attacks on neural networks[C]//Proceedings of the 16th European Conference on Computer Vision (ECCV 2020). Glasgow, UK: Springer International Publishing, 2020: 142–158.

[15]陈晋音, 李潇, 金海波, 等. CheatKD:基于毒性神经元同化的知识蒸馏后门攻击方法[J]. 计算机科学, 2024, 51(03): 351–359.

[16]Zhao M, An B, Gao W, et al. Efficient label contamination attacks against black-box learning models[C]//Proceedings of the 26th International Joint Conference on Artificial Intelligence (IJCAI 2017). Melbourne, Australia: AAAI Press, 2017: 3945–3951.

[17]Zhang R, Zhu Q. A game-theoretic analysis of label flipping attacks on distributed support vector machines[C]//Proceedings of the 51st Annual Conference on Information Sciences and Systems (CISS 2017). Baltimore, MD, USA: IEEE, 2017: 1–6.

[18]Xiao H, Xiao H, Eckert C. Adversarial label flips attack on support vector machines[C]//Proceedings of the 20th European Conference on Artificial Intelligence (ECAI 2012). Montpellier, France: IOS Press, 2012: 870–875.

[19]Luis M, Biggio B, Demontis A, et al. Towards poisoning of deep learning algorithms with back-gradient optimization[C]//Proceedings of the 10th ACM Workshop on Artificial Intelligence and Security (AISec 2017). New York, USA: ACM, 2017: 27–38.

[20]Jagielski M, Severi G, Harger N, et al. Subpopulation data poisoning attacks[C]//Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security (CCS'21). New York, USA: ACM, 2021: 3104–3122.

[21]Huang W, Geiping J, Fowl L, et al. Metapoison: Practical general-purpose clean-label data poisoning[J]. Advances in Neural Information Processing Systems, 2020, 33: 12080–12091.

[22]Geiping J, Fowl L, Huang W, et al. Witches' brew: Industrial scale data poisoning via gradient matching[J]. arXiv preprint 2020, arXiv: 2009.02276, 2020.

[23]Fang M, Gong N, Liu J. Influence function based data poisoning attacks to top-n recommender systems[C]//Proceedings of the Web Conference 2020 (WWW 2020). New York, USA: ACM, 2020: 3019–3025.

[24]Huang H, Ma X, Erfani S, et al. Unlearnable examples: Making personal data unexploitable[J]. arXiv preprint, 2021, arXiv: 2101.04898.

[25]Frederickson C, Moore M, Dawson G, et al. Attack strength vs. detectability dilemma in adversarial machine learning[C]//Proceedings of the 2018 International Joint Conference on Neural Networks (IJCNN 2018). Piscataway, NJ, USA: IEEE, 2018: 1–8.

[26]CINÀ A E, VASCON S, DEMONTIS A, et al. The hammer and the nut: Is bilevel optimization really needed to poison linear classifiers?[C]//Proceedings of the 2021 International Joint Conference on Neural Networks (IJCNN 2021), Virtual Event: IEEE, 2021: 1–8.

[27]Feng J, Cai Q, Zhou Z. Learning to confuse: Generating training time adversarial data with auto-encoder[J]. Advances in Neural Information Processing Systems, 2019, 32: 11971–11981.

[28]Shen J, Zhu X, Ma D. TensorClog: An imperceptible poisoning attack on deep neural network applications[J]. IEEE Access, 2019, 7: 41498–41506.

[29]Chan A. An algorithm for generating invisible data poisoning using adversarial noise that breaks image classification deep learning[J]. Machine Learning and Knowledge Extraction, 2018, 1(1): 192–204.

[30]Zhao B, Lao Y. CLPA: Clean-label poisoning availability attacks using generative adversarial nets[C]//Proceedings of the 36th the AAAI Conference on Artificial Intelligence. 2022, 36(8): 9162–9170.

[31]Lu Y, Kamath G, Yu Y. Indiscriminate data poisoning attacks on neural networks[J]. arXiv preprint, 2022, arXiv: 2204.09092.

[32]Fu S, He F, Liu Y, et al. Robust unlearnable examples: Protecting data against adversarial learning[J]. arXiv preprint, 2022, arXiv: 2203.14533.

[33]Yu D, Zhang H, Chen W, et al. Availability attacks create shortcuts[C]//Proceedings of the 28th ACM SIGKDD Conference on Knowledge Discovery and Data Mining (KDD'22). Washington, DC, USA: ACM, 2022: 2367–2376.

[34]Gu T, Dolan B, Garg S. Badnets: Identifying vulnerabilities in the machine learning model supply chain[J]. arXiv preprint, 2017, arXiv: 1708.06733.

[35]Liu Y, Ma S, Aafer Y, et al. Trojaning attack on neural networks[C]//Proceedings of the 25th Annual Network and Distributed System Security Symposium (NDSS 2018). San Diego, CA, USA: Internet Society, 2018: 1–15.

[36]Turner A, Tsipras D, Madry A. Label-consistent backdoor attacks[J]. arXiv preprint, 2019, arXiv: 1912.02771.

[37]Tang R, Du M, Liu N, et al. An embarrassingly simple approach for trojan attack in deep neural networks[C]//Proceedings of the 26th ACM SIGKDD international conference on knowledge discovery and data mining (KDD'22). Virtual Event, USA: ACM, 2020: 218–228.

[38]Nguyen T A, Tran A. Input-aware dynamic backdoor attack[J]. Advances in Neural Information Processing Systems, 2020, 33: 3454–3464.

[39]Chen J, Zhang L, Zheng H, et al. Deeppoison: Feature transfer based stealthy poisoning attack for DNNs[J]. IEEE Transactions on Circuits and Systems II: Express Briefs, 2021, 68(7): 2618–2622.

[40]Lederer T, Maimon G, Rokach L. Silent Killer: Optimizing Backdoor Trigger Yields a Stealthy and Powerful Data Poisoning Attack[J]. Available at SSRN 4466298, 2023[2025-03-12]. https://ssrn.com/abstract=4466298.

[41]Souri H, Bansal A, Kazemi H, et al. Generating Potent Poisons and Backdoors from Scratch with Guided Diffusion[J]. arXiv preprint, 2024, arXiv: 2403.16365.

[42]Zhong H, Liao C, Squicciarini A C, et al. Backdoor embedding in convolutional neural network models via invisible perturbation[C]//Proceedings of the 10th ACM Conference on Data and Application Security and Privacy (CODASPY 2020). New Orleans, LA, USA: ACM, 2020: 97–108.

[43]Moosavi S M, Fawzi A, Fawzi O, et al. Universal adversarial perturbations[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR 2017). Honolulu, HI, USA: IEEE, 2017: 1765–1773.

[44]Liu Y, Ma X, Bailey J, et al. Reflection backdoor: A natural backdoor attack on deep neural networks[C]//Proceedings of the 16th European Conference on Computer Vision (ECCV 2020), Glasgow, UK: Cham: Springer International Publishing, 2020: 182–199.

[45]Ji Y, Zhang X, Wang T. Backdoor attacks against learning systems[C]//Proceedings of the 5th IEEE Conference on Communications and Network Security (CNS 2017), Las Vegas, NV, USA: IEEE, 2017: 1–9.

[46]Zhang J, Dongdong C, Huang Q, et al. Poison ink: Robust and invisible backdoor attack[J]. IEEE Transactions on Image Processing, 2022, 31: 5691–5705.

[47]Zhu M, Li Y, Guo J, et al. Towards sample-specific backdoor attack with clean labels via attribute trigger[J]. IEEE Transactions on Dependable and Secure Computing, 2025. DOI: 10.1109/TDSC.2025.3552234.

[48]Bagdasaryan E, Shmatikov V. Blind backdoors in deep learning models[C]//Proceedings of the 30th USENIX Security Symposium (USENIX Security'21). Vancouver, BC, Canada: USENIX Association, 2021: 1505–1521.

[49]Cheng S, Liu Y, Ma S, et al. Deep feature space trojan attack of neural networks by controlled detoxification[C]//Proceedings of the 35th AAAI Conference on Artificial Intelligence (AAAI 2021). Palo Alto, CA, USA: AAAI Press, 2021, 35(2): 1148–1156.

[50]Li Y, Li Y, Wu B, et al. Invisible backdoor attack with sample-specific triggers[C]//Proceedings of the IEEE/CVF International Conference on Computer Vision (ICCV 2021). Montreal, QC, Canada: IEEE, 2021: 16463–16472.

[51]Vaswani A, Shazeer N, Parmar N, et al. Attention is all you need[J]. Advances in Neural Information Processing Systems, 2017, 30: 5998–6008.

[52]AL-Dujaili M J, Hussein A A. Hybrid approach for optimizing the face recognition based on SIFT, SURF and HOG features[J]. International Journal of Electrical and Computer Engineering, 2023, 13(6): 7231–7239.

[53]Srikar M, Malathi K. A supervised stable object detection with image feature extraction using image segmentation by comparing histogram of oriented gradients (HOG) over scale invariant feature transform (SIFT)[C]//Proceedings of the 2022 International Conference on Advances in Computing, Communication and Applied Informatics (ACCAI). Los Alamitos, CA: IEEE, 2022: 145–150.

[54]Chaganti S Y, Nanda I, Pandi K R, et al. Image classification using SVM and CNN[C]//Proceedings of the 2020 International Conference on Computer Science, Engineering and Applications (ICCSEA). Los Alamitos, CA: IEEE, 2020: 1–5.

[55]Simonyan, K., & Zisserman, A. Very deep convolutional networks for large-scale image recognition[C]//Proceedings of the 3rd International Conference on Learning Representations (ICLR 2015). San Diego, CA, USA, 2015.

[56]mind_programmonkey. CSDN[EB/OL]. Https://blog.csdn.net/Mind_programmonkey/arti

cle/details/89059367, 2019-04-06 [2025-03-12].

[57]Szegedy C, Liu W, Jia Y, et al. Going deeper with convolutions[C]//Proceedings of the 29th IEEE Conference on Computer Vision and Pattern Recognition (CVPR 2015). Boston, MA, USA: IEEE, 2015: 1–9.

[58]CV小Rookie. CSDN[EB/OL]. Https://blog.csdn.net/like_jmo/article/details/126170426, 2022-08-05 [2025-03-12].

[59]He K, Zhang X, Ren S, et al. Deep residual learning for image recognition[C]//Proceedings of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR 2016). Las Vegas, NV, USA: IEEE, 2016: 770–778.

[60]云龙弓手. CSDN[EB/OL]. Https://blog.csdn.net/weixin_43909400/article/details/132167 247, 2023-08-08 [2025-03-12].

[61]Huang G, Liu Z, Van Der Maaten L, et al. Densely connected convolutional networks[C]//Proceedings of the 30th IEEE Conference on Computer Vision and Pattern Recognition (CVPR 2017). Honolulu, HI, USA: IEEE, 2017: 4700–4708.

[62]Radosavovic I, Kosaraju R P, Girshick R, et al. Designing network design spaces[C]//Proceedings of the 37th IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR 2020). Virtual Event: IEEE, 2020: 10428–10436.

[63]bryant_meng. CSDN[EB/OL]. Https://blog.csdn.net/bryant_meng/article/details/126841 380, 2023-08-08 [2025-03-12].

[64]Dosovitskiy A, Beyer L, Kolesnikov A, et al. An image is worth 16x16 words: Transformers for image recognition at scale[C]//Proceedings of the 9th International Conference on Learning Representations (ICLR 2021), Virtual Event, 2021.

[65]Xu Q, Yang Z, Zhao Y, et al. Rethinking label flipping attack: From sample masking to sample thresholding[J]. IEEE Transactions on Pattern Analysis and Machine Intelligence, 2022, 45(6): 7668–7685.

[66]Mei S, Zhu X. Using machine teaching to identify optimal training-set attacks on machine learners[C]//Proceedings of the 29th AAAI Conference on Artificial Intelligence (AAAI 2015). Austin, TX, USA: AAAI Press, 2015, 29(1): 2871–2877.

[67]Koh P W, Steinhardt J, Liang P. Stronger data poisoning attacks break data sanitization defenses[J]. Machine Learning, 2022, 111(1): 1–47.

[68]Fowl L, Goldblum M, Chiang P, et al. Adversarial examples make strong poisons[J]. Advances in Neural Information Processing Systems, 2021, 34: 30339–30351.

[69]Sandoval-Segura P, Singla V, Geiping J, et al. Autoregressive perturbations for data poisoning[J]. Advances in Neural Information Processing Systems, 2022, 35: 27374–27386.

[70]Zhu Z, Zhang M, Wei S, et al. Boosting backdoor attack with a learnable poisoning sample selection strategy[J]. arXiv preprint, 2023, arXiv: 2307.07328.

[71]Lyu Y, Ma X, Ma Y. Backdoor Attacks Optimized through Genetic Algorithm-Driven Data Augmentation Combinations in Deep Neural Networks[C]//Proceedings of the 23rd IEEE International Conference on Trust, Security and Privacy in Computing and Communications (TrustCom 2024), Hainan, China: IEEE, 2024: 2430–2435.

[72]Schneider B, Lukas N, Kerschbaum F. Universal backdoor attacks[C]//Proceedings of the 12th International Conference on Learning Representations (ICLR 2024). Vienna, Austria: ICLR, 2024: 1–15.

[73]Woo S, Park J, Lee J Y, et al. Cbam: Convolutional block attention module[C]//Proceedings of the 15th European Conference on Computer Vision (ECCV 2018). Munich, Germany: Springer, 2018: 3–19.

[74]Krizhevsky A, Hinton G. Learning multiple layers of features from tiny images[J]. Technical Report, University of Toronto, 2009.

[75]Deng J, Dong W, Socher R, et al. Imagenet: A large-scale hierarchical image database[C]//Proceedings of the 22nd IEEE Conference on Computer Vision and Pattern Recognition (CVPR 2009). Miami, FL, USA: IEEE, 2009: 248–255.

[76]Zhang C, Tang Z, Li K. Clean-label poisoning attack with perturbation causing dominant features[J]. Information Sciences, 2023, 644: 118899–118912.

[77]Liu S, Wang Y, Gao X S. Game-theoretic unlearnable example generator[C]//Proceedings of the 38th AAAI Conference on Artificial Intelligence (AAAI-24). Vancouver, BC, Canada: AAAI Press, 2024, 38(19): 21349–21358.

[78]Liu K, Dolan-Gavitt B, Garg S. Fine-pruning: Defending against backdooring attacks on deep neural networks[C]//Proceedings of the 21st International Symposium on Research in Attacks, Intrusions and Defenses (RAID 2018). Heraklion, Crete, Greece: Cham: Springer International Publishing, 2018: 273–294.

[79]Wang B, Yao Y, Shan S, et al. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks[C]//Proceedings of the 40th IEEE Symposium on Security and Privacy (SP 2019). San Francisco, CA, USA: IEEE, 2019: 707–723.

[80]Li Y, Lyu X, Koren N, et al. Neural attention distillation: Erasing backdoor triggers from deep neural networks[J]. arXiv preprint, 2021, arXiv: 2101.05930.