We sincerely appreciate your valuable suggestions and will reply to all concerns in order of importance.

We complete the experiments about Backdoor Defense and apply the components to recent PCBAs, achieving a new SOTA performance in Backdoor Attacks. The results sufficiently demonstrate the generalization ability and superiority of our method. Related codes and analysis about the new results during the rebuttals will be updated in the paper.

By poisoning merely 2 images (poison rate = 2 / 50000 = 0.00004), the optimized Narcissus with res-log as component A achieves 96.12% ASR and 95.10% BA in CIFAR-10 with 0 as the target-label. To the best of our knowledge, no other attack has comparable performance in ASR with pr = 0.00004 at the clean-label setting.

A: Lack of experiments about Backdoor Defense

{Weakness 1}

{abl: Anti-backdoor learning,ac: activation clustering,fp: Fine-pruning, i-bau: Implicit Hypergradient, nc: Neural Cleanse, np: Reconstructive Neuron Pruning}

Given the defense method X, bASR and X-ASR denote the pre-defense and post-defense ASR.

Badnets

Blend

Other attacks.

The design of A&B depends on the specific requirements for concealment and ASR. The following results adequately address the concerns as the expected results of A&B are between $B, A$ . Optimal improvement in ASR cannot be achieved when consideration is given to stealthiness. Therefore, components A&C exhibit the best ASR improvement.

A.1 Our methods outperform the original attacks when defended by backdoor defense methods.

Defended by nc, the ASR of CTRL drops from 91% to 1%. Optimized by our method, nc exhibits 94.8% ASR.

A.2 The effectiveness of backdoor defenses primarily hinges on the characteristics of backdoor attacks themselves.

sig fails to penetrate the STRIP. In such a case, the attacks optimized by our method also remain futile.

A.3 Our work may benefit Backdoor Defense by considering the distinct importance of samples in backdoor defense.

B: Stealthiness Evaluation

{Weakness2}

B.1 Visual presentation of poisoned images selected by Component B with different MSD and GMSD values is provided in Appendix I.

B.2 Your concerns are entirely justified, but this stems from inherent flaws in the evaluation metric design rather than flaws of Component B.

Component B is designed for machine-based applications. For any machine-quantifiable evaluation metric provided, it can rapidly identify images that achieve optimal performance under that metric. Given a fixed trigger, component B selects images with optimal stealthiness rather than making a visible trigger totally invisible.

B.3 Component B is the pioneering work to enhance stealthiness via sample selection, which is universally applicable to both machine and human evaluations.

B.4 Simplicity is not equal to the lack of novelty. The difference between the design of plug-and-play components and other works may potentially lead to misinterpretations where our advantage is misconstrued as a limitation.

Achieving simplicity while maintaining efficiency is a core design principle for plug-and-play components for strong applicability and low computational overhead.

Unlike other works simply being demanded to train a powerful model to use, we need to design components that can easily be applied to most attacks at the code level.

B.5 We select the advanced metric to ensure the evaluation of similarity.

GMSD demonstrates higher sensitivity to structural distortions (such as blurring and compression artifacts) than SSIM. Additionally, SSIM suffers from instability in white noise assessment and exhibits deviations from subjective scores under specific distortion conditions. In contrast, GMSD shows stronger consistency with human subjective evaluations.

C: Advice for the paper

Due to space constraints, no. are employed here to facilitate textual analysis in the paper. In the formal version, where space limitations are alleviated, the presentation format will be refined accordingly.

D: Our work is really valuable

We achieve a new SOTA performance in Backdoor Attack by merely using component A based on the SOTA attack (Narcissus).

By poisoning merely 2 images (poison rate = 2 / 50000 = 0.00004), Narcissus with res-log achieves 96.12% ASR and 95.10% BA in CIFAR-10 with 0 as the target-label.

In other settings, we follow the default settings in the official code repository. ASRs and BAs are calculated by the mean of ASR between epochs {180-200}.

In the offical paper, Narcissus achieved a 99% ASR by poisoning 25 images. The ASR of Narcissus drops to 46.11% when we reduce the poisoning rate to 0.00004 (just 2 images). Our method enhance the ASR from 46.11% to 96.12% with res-log as component A.

We hope our response can help resolve your confusion, and we will continue to optimize the parts that may cause confusion.

I want to thank the authors for their response. The authors addressed my concerns. Also, I read the comments and follow-up questions of other reviewers, and I believe the authors also answered these questions sufficiently and promptly. Therefore, I will improve my rating.

Hello,

The experiments on requested dense methods (Scan and FST) have been updated in the Response to new questions.

We hope our response can help resolve your confusion, and we will continue to optimize the parts that may cause confusion.

Thank you so much for the reply. We are delighted to optimize our paper based on the sustaining advice.

A: Answer to Question 1

A1 Our experiments are based on BackdoorBench.

• After receiving the reviews, we recognized the reviewers' concern on the effect of Sample Selection in Backdoor Defense. We adopted the BackdoorBench, a comprehensive benchmark of backdoor learning, to provide sufficient experiments upon mainstream backdoor attack and defense methods within just a few days. Among the defense methods you suggested, we only found the support for RNP in Supported defenses of BackdoorBench.

A2 Instead of proposing new attack methods to penetrate all defenses, we propose generalized components to improve both ASR and stealthiness of attacks.

• Therefore, we focus on addressing the concerns about whether our methods would negatively impact the existing attack capabilities to penetrate defenses at most cases. It is unnecessary and impractical to exhaustively enumerate all defense methods.
• The enhanced penetration effectiveness of our methods upon backdoor defense is an additional priority thanks to the valuable suggestions from reviewers.

A3 Our experiments are sufficient to explore the effect of our components on Backdoor Defense.

• During the Rebuttal, we apply our methods to different attacks and defense methods in different settings (4 attack methods, 6 defense methods, 6+1 sample selection methods (random, loss, grad, forget, component A, component B) + Component C, : 4 X 6 X 7 = 168 settings). As for Badnets and Blend, we need to explore the effect of components (different combinations of components ) in Defense by designing more settings.

• Experiments to explore the effect of our components upon defense are not tightly related to specific defense methods. The experiments we have conducted cover a sufficient number of backdoor defense methods with comparable defensive capabilities. All related codes and logs during the training will be released.

A4 However, to better address the reviewers' concerns, we are cooking the experiments in the left limited time to provide more perfect experiment evaluation.

• We provide the effect of our methods on the proposed defense methods (Scan and FST).

FST

SCAn

• According to the results, we can conclude that our methods enhance or keep the performance of attacks in defense methods. The results will be jointly reported with other experiment results in the future paper version.

B: Answer to Question 2

Yes, GMSD is utilized to measure the similarity between images.

• During the preliminary exploration phase of our work, we compared images selected based on different metrics.

• The images chosen based on SSIM do not meet our expectations, as there is a discrepancy between the metric results and subjective judgments.

• In contrast, the images selected based on GMSD exhibit significantly better subjective perceptions of stealthiness compared to those chosen using SSIM. Therefore, we ultimately select GMSD as a representative metric.

We are deeply grateful for your assistance and recognition of our work. It has been a pleasure to address your concerns.

We sincerely appreciate your valuable suggestions and will reply to all concerns in order of importance.

We complete the experiments about Backdoor Defense and apply the components to recent PCBAs, achieving a new SOTA performance in Backdoor Attacks. Related codes and analysis about the new results during the rebuttals will be updated in the paper.

A Concerns about Simplicity and Novelty

{Weakness1}

A.1 We achieve a new SOTA performance in Backdoor Attack by merely using component A based on the SOTA attack (Narcissus).

By poisoning merely 2 images (poison rate = 2 / 50000 = 0.00004), Narcissus with res-log achieves 96.12% ASR and 95.10% BA in CIFAR-10 with 0 as the target-label.

In other settings, we follow the default settings in the official code repository. ASRs and BAs are calculated by the mean of ASR between epochs {180-200}.

In the offical paper, Narcissus achieved a 99% ASR by poisoning 25 images. The ASR of Narcissus drops to 46.11% when we reduce the poisoning rate to 0.00004 (just 2 images). Our method enhance the ASR from 46.11% to 96.12% with res-log as component A. To the best of our knowledge, no other attack has comparable performance in ASR with pr = 0.00004 at the clean-label setting.

A.2 Simplicity is not equal to the lack of novelty. The difference between the design of plug-and-play components and other works may potentially lead to misinterpretations where our advantage is misconstrued as a limitation.

Achieving simplicity while maintaining efficiency is a core design principle for plug-and-play components for strong applicability and low computational overhead.

Unlike other works simply being demanded to train a powerful model to use, we need to design components that can easily be applied to most attacks at the code level.

A.3 We relocated a significant portion of the theoretical work and ablation study of Component B&C in the Appendix. We will adjust our paper for better readability.

In total, we dedicate Our methods and Appendix {B, C, D} to establish the theoretical foundation of the components. Additionally, background knowledge of the human visual system related to Component C is provided in Appendix E.

Furthermore, detailed theoretical explanations and thorough ablation experiments are elaborated in Appendices {D, E} and Appendix {I, F}.

A.4 The innovations are outlined as follows:

We are the first to investigate the interplay between Trigger Design and Sample Selection in backdoor attacks.

We are the first to focus on universal component design to strengthen generalization across all backdoor attacks.

We are the first to introduce biomedical foundations to optimize trigger design in this domain.

A.5 Model interpretability itself has long been a significant challenge in the field of AI.

The mathematical interpretation of Component A needs to encompass the mathematical relationship between changes in inputs (e.g., triggers and trigger variations) and corresponding changes in outputs of DNNs. A precise mathematical underpinning of the irrelation between inputs and outputs of DNNs is currently impractical.

Therefore, the mathematical sections in most papers of Backdoor Attack focus on algorithm elaboration for trigger generation and modeling of Backdoor Attack objectives.

A.6 Macroscopic analysis of the effect of the poisoning area is provided in the paper.

Models with triggers covering larger poisoning regions require analysis of more pixels in the corresponding areas for classification, and thus are more susceptible to being interfered with by features of other classes. Samples with larger category diversity are inherently "cross-class," which mitigates the interference.

A.7 As for the issue of proportions, components B&C represent the pioneering works with no methods for comparison.

B Stealthiness Evaluation

{Weakness2}

B.1 Visual presentation of poisoned images selected by Component B with different MSD and GMSD values is provided in Appendix I.

B.2 Your concerns are entirely justified, but this stems from inherent flaws in the evaluation metric design rather than flaws of Component B.

Component B is designed for machine-based applications. For any machine-quantifiable evaluation metric provided, it can rapidly identify images that achieve optimal performance under that metric. Given a fixed trigger, component B selects images with optimal stealthiness rather than making a visible trigger totally invisible.

B.3 Component B is the pioneering work to enhance stealthiness via sample selection, which is universally applicable to both machine and human evaluations.

B.4 Background knowledge on the human visual system related to Component C is provided in Appendix E.

B.5 We select the advanced metric to ensure the evaluation of similarity.

GMSD demonstrates higher sensitivity to structural distortions (such as blurring and compression artifacts) than SSIM. Additionally, SSIM suffers from instability in white noise assessment and exhibits deviations from subjective scores under specific distortion conditions. In contrast, GMSD shows stronger consistency with human subjective evaluations.

C Questions about Results

{Weakness3,Question1}

C.1 Each component is designed with distinct objectives.

Component B serves as a sample selection method aimed at enhancing stealthiness, whereas Component A is designed to improve the asr. Component C is a reasonable adjustment for better ASR and stealthiness.

C.2 Optimal improvement in ASR cannot be achieved when consideration is given to stealthiness. Therefore, components A&C without B exhibit the best ASR improvement.

C.3 Our components are not intended to be used in a bound manner. Adopting a unified objective function and framework for handling is inflexible.

Given the drawbacks of different scenarios and triggers, it is necessary to allow attackers to freely control the proportion of stealthiness and ASR by utilizing the components either individually or in combination.

For an invisible Narcrssus attack where the trigger design inherently considers perturbation intensity, Component B is unnecessary, and directly employing Components A constitutes the new SOTA performance.

D Backdoor Defense

{abl: Anti-backdoor learning,ac: activation clustering,fp: Fine-pruning, i-bau: Implicit Hypergradient, nc: Neural Cleanse, np: Reconstructive Neuron Pruning}

Given the defense method X, bASR and X-ASR denote the pre-defense and post-defense ASR.

Badnets

Blend

The design of A&B depends on the specific requirements for concealment and ASR. The following results adequately address the concerns as the expected results of A&B are between $B, A$ . Optimal improvement in ASR cannot be achieved when consideration is given to stealthiness. Therefore, components A&C exhibit the best ASR improvement.

Other attacks.

D.1 Our methods outperform the original attacks when defended by backdoor defense methods.

Defended by nc, the ASR of CTRL drops from 91% to 1%. Optimized by our method, nc exhibits 94.8% ASR.

D.2 The effectiveness of backdoor defenses primarily hinges on the characteristics of backdoor attacks themselves.

sig fails to penetrate the STRIP. In such a case, the attacks optimized by our method also remain futile.

D.3 Our work may benefit Backdoor Defense by considering the distinct importance of samples into consideration.

We hope our response can help resolve your confusion, and we will continue to optimize the parts that may cause confusion.

We sincerely appreciate your valuable suggestions and will reply to all concerns in order of importance.

We complete the experiments about Backdoor Defense and apply the components to recent PCBAs, achieving a new SOTA performance in Backdoor Attacks. Related codes and analysis about the new results during the rebuttals will be updated in the paper.

A Lack of Defense Experiments

{Weakness3, Question2}

{abl: Anti-backdoor learning,ac: activation clustering,fp: Fine-pruning, i-bau: Implicit Hypergradient, nc: Neural Cleanse, np: Reconstructive Neuron Pruning, STRIP}

Given the defense method X, bASR and X-ASR denote the pre-defense and post-defense ASR.

Badnets

Blend

Optimal improvement in ASR cannot be achieved when consideration is given to stealthiness. Therefore, components A&C exhibit the best ASR improvement.

The design of A&B depends on the specific requirements for concealment and ASR. The following results adequately address the concerns as the expected results of A&B are between $B, A$ .

We also provide the results of other attacks with defense methods.

A.1 Our methods outperform the original attacks when defended by backdoor defense methods in most cases.

Defended by nc, the ASR of CTRL drops from 91% to 1%. Optimized by our method, nc exhibits 94.8% ASR.

A.2 The effectiveness of backdoor defenses primarily hinges on the characteristics of backdoor attacks themselves.

sig fails to penetrate the STRIP. In such a case, the attacks optimized by our method also remain futile.

A.3 Our work may benefit Backdoor Defense by considering the distinct importance of samples.

B Questions about ASR

{Weakness4,Question3}

B.1 Optimal improvement in ASR cannot be achieved when consideration is given to stealthiness.

Component B serves as a sample selection method aimed at enhancing stealthiness, whereas Component A is designed to improve the asr. Component C is a reasonable adjustment for better ASR and stealthiness.

Component B eliminates some images that contribute to improving the ASR but are detrimental to stealthiness. Therefore, components A&C exhibit the best ASR improvement.

B.2 Components are intended to be flexibly adjusted according to the characteristics of the trigger and task requirements.

For invisible attacks such as Narcissus, applying components A&C (even only A) is enough. We achieve a new SOTA performance based on the SOTA attack (Narcissus).

By poisoning merely 2 images (poison rate = 0.00004), Narcissus with res-log achieves 96.12% ASR and 95.10% BA in CIFAR-10 with 0 as the target-label. We follow the default settings in the official code repository. ASRs and BAs are the mean ASR between epochs {180-200}.

B.3 Compared to benign BA results (94%), the decrease of BA within 0.5% in backdoor attacks (min: 93.70%, max: 94.22%) is a normal and imperceptible training perturbation of accuracy.

C Concerns about Dirty-label Poisoning

{Weakness1}

C.1 Remediation to the dirty label is unnecessary in our paper.

We aim to optimize dirty-label attacks to clean-label attacks while preserving high ASR, rendering further optimization in dirty-label scenarios less critical in our paper.

C.2 We provide an analysis of the phenomenon.

Under clean-label settings (e.g., take airplane as the target label), component A selects images of airplanes that least resemble airplanes based on the forgetting events with its category diversity. According to the phenomenon of models taking shortcuts discussed in another paper, models tend to rely on learning triggers as a shortcut to solve the hard task in the selected images. Therefore, component A gets higher ASRs because generic airplane features exert minimal interference from backdoor features.

In contrast, under dirty-label settings, it is more effective to directly use cat images for poisoning instead of selecting airplane images that least resemble airplanes. The model faces the greatest difficulty in classifying cats as airplanes and resorts to backdoor shortcuts, resulting in higher ASRs.

D Stealthiness Evaluation

{Question4}

D.1 Visual presentation of poisoned images selected by Component B with different MSD and GMSD values is provided in Appendix I.

GMSD demonstrates higher sensitivity to structural distortions (such as blurring and compression artifacts) than SSIM. Additionally, SSIM suffers from instability in white noise assessment and exhibits deviations from subjective scores under specific distortion conditions. In contrast, GMSD shows stronger consistency with human subjective evaluations.

D.2 Your concerns are entirely justified, but this stems from inherent flaws in the evaluation metric design rather than flaws of Component B.

Component B is designed for machine-based applications. For any machine-quantifiable evaluation metric provided, it can rapidly identify images that achieve optimal performance under that metric. Given a fixed trigger, component B selects images with optimal stealthiness rather than making a visible trigger totally invisible.

D.3 Component B is the pioneering work to enhance stealthiness via sample selection, which is universally applicable to both machine and human evaluations.

E Theoretical Concerns

{Weakness2,Question1}

E.1 We relocate a significant portion of the theoretical work to the Appendix.

In total, we dedicate Our methods and Appendix {B, C, D} to establish the theoretical foundation of the components. Additionally, background knowledge of the human visual system related to Component C is provided in Appendix E.

E.2 Unlike other work being demanded to train a powerful model to use, we need to design components that can easily be applied to most attacks at the code level.

Achieving simplicity while maintaining efficiency is a core design principle for plug-and-play components for strong applicability and low computational overhead.

The difference may potentially lead to misinterpretations where our advantage is misconstrued as a limitation.

The integration among components does not require neural networks, thus eliminating the need for objective function design. Once plug-and-play components are incorporated into neural networks, it involves integration with the target attack, leading to increased conflicts at the code level and hindering rapid application.

E.3 Stealthiness and ASR represent independent dimensions, and the relative importance of their proportions cannot be quantitatively compared.

E.4 Designing an automated framework is akin to learning rate searching algorithms to find optimal values.

E.5 Model interpretability itself has long been a significant challenge in the field of AI. A precise mathematical underpinning of the irrelation between inputs and outputs of DNNs is currently impractical.

The mathematical interpretation of Component A needs to encompass the mathematical relationship between changes in inputs (e.g., triggers and trigger variations) and corresponding changes in outputs of DNNs. A precise mathematical underpinning of the irrelation between inputs and outputs of DNNs is currently impractical.Therefore, the mathematical sections in most papers of Backdoor Attack focus on algorithm elaboration for trigger generation and modeling of Backdoor Attack objectives.

E.6 Macroscopic analysis of the effect of the poisoning area is provided in the paper.

Models with triggers covering larger poisoning regions require analysis of more pixels in the corresponding areas for classification, and thus are more susceptible to being interfered with by features of other classes. Samples with larger category diversity are inherently "cross-class," which mitigates the interference.

E.7 Our work aims to motivate the community to prioritize and investigate this new direction.

As a pioneering approach, establishing a comprehensive theory on the collaboration between sample selection and triggers is a long-term and arduous task.

We hope our response can help resolve your confusion, and we will continue to optimize the parts that may cause confusion.

Hello!

We would like to know if there are some concerns there, and we are really willing to continuously improve our work based on valuable suggestions.

Dear Reviewer AdY7,

Thank you for your thoughtful and constructive reviews of this submission. Your time and expertise are greatly appreciated.

The author response is now available. Please carefully read the rebuttal and update your reviews with post-rebuttal comments, indicating whether the response adequately addresses your concerns and whether it changes your assessment of the paper.

Please also feel free to engage in discussion with your fellow reviewers, especially in cases where there are divergent opinions, so we can reach a more accurate and well-informed consensus. If you have any points of disagreement or clarification, this is a good time to raise and explore them collaboratively.

Best regards,

AC

We sincerely appreciate your valuable suggestions and will reply to all concerns in order of importance.

We complete the experiments about Backdoor Defense and apply the components to recent PCBAs, achieving a new SOTA performance in Backdoor Attacks. Related codes and analysis about the new results during the rebuttals will be updated in the paper.

A: Applicability on recent PCBAs and Deployment Cost

{Weakness3,Question4,Question 6}

A.1 We achieve a new SOTA performance based on the SOTA attack (Narcissus).

By poisoning merely 2 images (poison rate = 0.00004), Narcissus with res-log achieves 96.12% ASR and 95.10% BA in CIFAR-10 with 0 as the target-label.

We follow the default settings in the official code repository. ASRs and BAs are the mean ASR between epochs {180-200}.

A.2 We provide a guide to integrate all components with recent PCBAs like Narcissus and Combat.

Component A can be simply applied by modifying the poisoning indexes. Stronger trigger highlights the forgetting events. Triggers with larger poisoning scope and larger number of categories in the dataset highlight category diversity.

Component B selects samples by comparing the similarity before and after data poisoning, which does not require additional processing.

Recent PCBAs typically ensure stealthiness by setting a limit on pixel perturbation thresholds. Component C suffices to apply RGB differentiation processing to these thresholds when training the generator.

A.3 Components are intended to be flexibly applied according to the characteristics of the trigger and task requirements.

For invisible attacks such as Narcissus, applying components A&C (even only A) is enough.

A.4 Our deployment cost is low.

The cost of Component A is the same as the SOTA methods (forget), and no training is introduced in Components B or C. Component B requires only a single traversal through the target class (1/10 in CIFAR10 and 1/100 in CIFAR100) by maintaining a set with minimal metrics. Component C only requires modification of the poisoning intensity without additional overhead.

B: Lack of Defense Experiments

{Weakness5,Question7}

{abl: Anti-backdoor learning,ac: activation clustering,fp: Fine-pruning, i-bau: Implicit Hypergradient, nc: Neural Cleanse, np: Reconstructive Neuron Pruning}

Given the defense method X, bASR and X-ASR denote the pre-defense and post-defense ASR.

Badnets

Blend

The design of A&B depends on the specific requirements for concealment and ASR. The following results adequately address the concerns as the expected results of A&B are between $B, A$ . Optimal improvement in ASR cannot be achieved when consideration is given to stealthiness. Therefore, components A&C exhibit the best ASR improvement.

Other attacks.

B.1 Our methods outperform the original attacks when defended by backdoor defense methods.

Defended by nc, the ASR of CTRL drops from 91% to 1%. Optimized by our method, nc exhibits 94.8% ASR.

B.2 The effectiveness of backdoor defenses primarily hinges on the characteristics of backdoor attacks themselves.

sig fails to penetrate the STRIP. In such a case, the attacks optimized by our method also remain futile.

B.3 Our work may benefit Backdoor Defense by considering the distinct importance of samples.

C: Concerns about Dirty-label Poisoning

{Weakness2,Question3}

C.1 Remediation of the dirty label is unnecessary in our paper.

We aim to optimize dirty-label attacks to clean-label attacks while preserving high ASR, rendering further optimization in dirty-label scenarios less critical in our paper.

C.2 We provide an analysis of the phenomenon.

Under clean-label settings with airplane as the target label, component A selects images of airplanes that least resemble airplanes based on the forgetting events with its category diversity. According to the phenomenon of models taking shortcuts discussed in another paper, models tend to rely on learning triggers as a shortcut to solve the hard task in the selected images. Therefore, component A gets higher ASRs because generic airplane features exert minimal interference from backdoor features.

In contrast, under dirty-label settings, it is more effective to directly use cat images for poisoning instead of selecting airplane images that least resemble airplanes. The model faces the greatest difficulty in classifying cats as airplanes and resorts to backdoor shortcuts, resulting in higher ASRs.

D: Stealthiness Evaluation

{Weakness4,Question5}

D.1 Visual presentation of poisoned images selected by Component B with different MSD and GMSD values is provided in Appendix I.

D.2 We select the advanced metric to ensure the evaluation of similarity.

GMSD demonstrates higher sensitivity to structural distortions (such as blurring and compression artifacts) than SSIM. Additionally, SSIM suffers from instability in white noise assessment and exhibits deviations from subjective scores under specific distortion conditions. In contrast, GMSD shows stronger consistency with human subjective evaluations.

D.3 Your concerns are entirely justified, but this stems from inherent flaws in the evaluation metric design rather than flaws of Component B.

Component B is designed for machine-based applications. For any machine-quantifiable evaluation metric provided, it can rapidly identify images that achieve optimal performance under that metric. Given a fixed trigger, component B selects images with optimal stealthiness rather than making a visible trigger totally invisible.

D.4 The idea of Component B is to enhance stealthiness via sample selection, which is universally applicable to both machine and human evaluations.

E: Theoretical Concerns

{Weakness1,Question1}

E.1 We relocated a significant portion of the theoretical analysis in the Appendix.

In total, we dedicate Our methods and Appendix {B, C, D} to establish the theoretical foundation of the components. Additionally, background knowledge of the human visual system related to Component C is provided in Appendix E.

E.2 Macroscopic analysis of component A is provided in the paper.

Component A selects images of airplanes that least resemble airplanes based on the forgetting events with its category diversity. According to the phenomenon of models taking shortcuts discussed in another paper, models tend to rely on learning triggers as a shortcut to solve the hard task in the selected images. Therefore, component A gets higher ASRs because generic airplane features exert minimal interference from backdoor features.

Models with triggers covering larger poisoning regions require analysis of more pixels in the corresponding areas for classification, and thus are more susceptible to being interfered with by features of other classes. Samples with larger category diversity are inherently "cross-class," which mitigates the interference.

E.3 Model interpretability itself has long been a significant challenge in the field of AI.

The mathematical interpretation of Component A needs to encompass the mathematical relationship between changes in inputs (e.g., triggers and trigger variations) and corresponding changes in outputs of DNNs. A precise mathematical underpinning of the irrelation between inputs and outputs of DNNs is currently impractical.

Therefore, the mathematical sections in most papers of Backdoor Attack focus on algorithm elaboration for trigger generation and modeling of Backdoor Attack objectives.

E.4 Our work aims to motivate the community to prioritize and investigate this new direction.

As a pioneering approach, establishing a comprehensive theory on the collaboration between sample selection and triggers is a long-term and arduous task.

F: Performance on Large Dataset

{Question 2}

F.1 We provide the experimental results on Tiny-ImageNet in Appendix H.

The ASR of the optimized Badnets is 38.96%, which is 21.90% higher than random and 6.67% higher than the SOTA metric (forget).

Most clean-label attacks exhibit ineffective performance in large datasets. For Tiny-ImageNet with 200 classes, the clean-label poisoning rate is constrained to be less than 0.005. In that case, each part of the poisoning process must be meticulously designed, thereby highlighting the value of our proposed methods.

We hope our response can help resolve your confusion, and we will continue to optimize the parts that may cause confusion

We are deeply grateful for your assistance and recognition of our work. It has been a pleasure to address your concerns.