Abstract: Deep neural networks are highly vulnerable to the threat of backdoor attacks due to their noninterpretability and high dependence on data during training. Although the current mainstream backdoor attack methods generally use fixed trigger design to simplify implementation, these triggers are often significantly different from the training data distribution, resulting in easy detection and identification. To this end, this paper proposes a dynamic invisible backdoor attack method via frequency domain injection: firstly, a generative network is used to generate a specific trigger pattern based on the input samples, and then the highfrequency information of the pattern is injected into the wavelet domain of the samples, ensuring the triggers remain stealthy. Additionally, this paper designs a fair screening strategy to select samples that are more influential to the backdoor model through cosine similarity and Kmeans clustering algorithm. Experimental results show that this method outperforms existing methods (e.g., BadNets, Blend, WaNet, and WABA) in terms of attack success rate and stealthiness, and effectively circumvents a variety of stateoftheart defence mechanisms (e.g., FP, NC, SentiNet, and SCALEUP), providing significant robustness and extensive practical potential.

Key words: backdoor attack, model security, dynamic trigger, sample selection, frequency domain

摘要： 由于深度神经网络在训练过程中具有不可解释性且高度依赖数据，因此极易受到后门攻击的威胁.当前主流后门攻击方法虽然普遍采用固定触发器设计以简化实现，但这些触发器往往与训练数据分布存在明显差异，导致易被检测识别.为此，提出一种基于频域注入的动态隐蔽后门攻击方法：利用生成网络根据输入样本生成特定触发模式，将该模式的高频信息注入样本的小波域，从而确保触发器的隐蔽性.此外，设计了一种公平筛选策略，通过余弦相似度和Kmeans聚类算法选取对后门模型更具影响力的样本.实验结果表明，该方法在攻击成功率和隐蔽性方面均优于现有方法(如BadNets,Blend,WaNet,WABA)，并能有效规避多种先进防御机制(如FP,NC,SentiNet,SCALEUP)，具有显著的鲁棒性和广泛的实用性.

关键词: 后门攻击, 模型安全, 动态触发器, 样本筛选, 频域