Image-Synthesis-Based Backdoor Attack Approach for Face Classification Task

Round 1

Reviewer 1 Report

Comments and Suggestions for Authors

This manuscript presents an image synthesis-based backdoor attack approach which is applied to face classification and evaluates it against different scenarios. This study is comprehensive and can be accepted for publication after some modifications are performed to the manuscript.

In the Abstract section, the authors should directly clarify whether the goal is to develop a backdoor attack method or to determine ways to avoid this type of attacks, or both.

In the Introduction section, the authors should also clarify the potential unfavorable consequences of backdoor attacks to DNN in real life applications, in order to prove the necessity of their study.

In Section 2, some more references are required in subsections 2.1.1 and 2.1.2.

As the study is very comprehensive, including comparisons of the proposed method with other existing methods and evaluation of different scenarios, an appropriate flowchart regarding the different steps of the present study is required.

In subsection 4.1.2, the authors should provide more details about the datasets used for training and testing the models.

The Section 10, named "Patents" does not include any data, so it should be removed.

Comments on the Quality of English Language

Minor editing is required.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 2 Report

Comments and Suggestions for Authors

In this paper, the Authors present a novel method for performing backdoor attacks based on image synthesis in classification operations of deep neural networks.

The document is quite well written, without relevant English language issues. It is organized as follows: Abstract, a first Section containing an Introduction, a second Section on Background and Related Work, a third Section on Image Synthesis-based Backdoor Attack, a fourth Section on Experiments, a fifth Section on Robustness of the Proposed Attack, a sixth Section on Resistance to Prior Backdoor Attacks, a seventh Section on Clean Level Attack Scenario, an eigth Section on Discussion and Future Work, ninth Section with the Conclusion, and finally the References used.

After a thorough review, I believe that the paper could be of some interest to the readers of the journal Electronics. However, I have some questions and suggestions for the Authors. Please, see my comments below.

1.  The organization of the manuscript differs from the usual one, making it difficult to read and understand it to the reader. The 'Instructions for Authors' section of the journal indicates that 'We do not have strict formatting requirements, but all manuscripts must contain the required sections: Author Information, Abstract, Keywords, Introduction, Materials & Methods, Results, Conclusions, Figures and Tables with Captions, Funding Information, Author Contributions, Conflict of Interest and other Ethics Statements.' Please, try to conform as much as possible to the proposed structure. The exposition of the Authors must proceed in a linear way, separating the different main blocks of the document to facilitate the readers task.

2.  At the end of the Introduction section, a short description about the structure of the document is recommended to inform the reader about how it is organized and what to expect in the next sections.

3.  It would be advisable to revise the document to relocate those paragraphs where they would fit better. For example, Lines 51-93 might belong to the Materials and Methods section, current Sections 1 and 2 could be merged, etc.

4.  Figure 1 and Table 2 mention the Authors's proposal, time before presenting it in the Materials and Methods section.

5.  Figure 2 could be reelaborated to make it easier to understand and less confusing, especially regarding the face pictures. Same about Figure 3: Is the image reconstructed based only on the style matrix and the segmentation mask data?

6.  Please explain where the '512' figure comes from in Line 202.

7.  Please rewrite Lines 199-211 to make them easier to understand by the readers.

8.  Please explain the meaning of 'several images against each person' in Line 221.

9.  Please rewrite 'from 0.005 to half' in Line 239.

10. Perhaps the Authors should justify the choices made in Lines 251-260.

11.  How could affect different characteristics of the pictures chosen to be altered to the results of the study (lighting, contrast, color saturation, ...)?

12.  I consider that the Discussion section should be rewritten. Such discussion section should clearly determine what is the main contribution of the article compared to other studies or similar works in the related field of study. Authors need to pay special attention to this comparison and highlight the relevance of their contributions. Additionally, please consider providing more realistic examples than those in Section 8.2, as it would require to consider affecting National Security databases and systems.

13.  Please rewrite the Conclusion for a better understanding of the manuscript claims, as a honest, impartial and accurate criticism of the achievements claimed from the article is expected, including the specific dimension and the limitations of the results obtained, as well as the future lines of work open as a consequence of the efforts made.

14. Other comments
     •  The Figures should be inserted as close as possible to where they are mentioned in the document.
     •  Check the document for missing spaces, especially before reference numbers in brackets.
     •  Remove title in Line 610, or else add the missing text below it.

Comments on the Quality of English Language

Please review the document for missing spaces, as well as some unclear expressions as noted.

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 3 Report

Comments and Suggestions for Authors

The article is very interesting and covers an important topic. The method is very well. Is a good candidate for publication after some major changes:

Abstract - does not present key findings and novelty

Discussion and conclusions - the weakest part of the article, lacking a clear engagement with previous research. The authors must detail where the study confirms or contradicts previous research and specially where it is advancing knew knowledge.

The way the article is written is not correct in some parts (e.g., when a paragraph starts by a 'however' or 'furthermore' probably is not a paragraph) and not following an academic approach (e.g., excessive use of bullets, or not adequately citing authors as in this sentence - "Subsequently, [25] did not poison the 131 labels in the training phase; they were trained by injecting the trigger into the data corresponding to the target class." - the name of the author must appear)

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Reviewer 4 Report

Comments and Suggestions for Authors

Dear authors,

I would like to thank you for your efforts composing this paper. Nevertheless, I have found areas for revisions and questions for clarification as follows:

-       At the end of the introduction, add a statement describing the structure of the paper.

-       In the related work section, the authors are advised to start the section with a more generic review of recent state-of-the-art literature. After that, they can narrow down the discussion to, for instance, ‘Properties of Backdoor Trigger’.

-       The Figures captions are overly long. Try to shorten them and leave their descriptions in the main body of the paper.

-       More recent state-of-the-art literature should be incorporated in this paper.

I wish you all the best

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Round 2

Reviewer 1 Report

Comments and Suggestions for Authors

The authors performed most of the required changes to their manuscript. Thus, it can now be considered for publication.

Author Response

Thank you for your review.

Reviewer 3 Report

Comments and Suggestions for Authors

After revising the changes made the most important topic was not addressed by the authors: I recommended "Discussion and conclusions - the weakest part of the article, lacking a clear engagement with previous research. The authors must detail where the study confirms or contradicts previous research and specially where it is advancing knew knowledge"

The response was "Thank you for your suggestion. We revised the Conclusion for conciseness and clarity".

My recommendation was mostly related to the engagement with previous research not clarity. This must be done, otherwise I will consider the paper as a consultancy report and recommend rejection. The time and effort of the reviewers is limited this kind of responses is considered an incorrect approach.  

Author Response

Please see the attachment.

Author Response File: Author Response.pdf

Round 3

Reviewer 3 Report

Comments and Suggestions for Authors

Thank you