\jyear

2023

[1]\fnmXianglong \surLiu

1]\orgnameBeihang University, \orgaddress\countryChina

2]\orgnameNational University of Singapore, \orgaddress\countrySingapore

3]\orgnameSun Yat-Sen University, \orgaddress\countryChina

4]\orgnameThe University of Sydney, \orgaddress\countryAustralia

Pre-trained Trojan Attacks for Visual Recognition

\fnmAishan \surLiu [email protected] \fnmXinwei \surZhang [email protected] \fnmYisong \surXiao [email protected] \fnmYuguang \surZhou [email protected] \fnmSiyuan \surLiang [email protected] \fnmJiakai \surWang [email protected] [email protected] \fnmXiaochun \surCao [email protected] \fnmDacheng \surTao [email protected] [ [ [ [

Abstract

Pre-trained vision models (PVMs) have become a dominant component due to their exceptional performance when fine-tuned for downstream tasks. However, the presence of backdoors within PVMs poses significant threats. Unfortunately, existing studies primarily focus on backdooring PVMs for the classification task, neglecting potential inherited backdoors in downstream tasks such as detection and segmentation. In this paper, we propose the Pre-trained Trojan attack, which embeds backdoors into a PVM, enabling attacks across various downstream vision tasks. We highlight the challenges posed by cross-task activation and shortcut connections in successful backdoor attacks. To achieve effective trigger activation in diverse tasks, we stylize the backdoor trigger patterns with class-specific textures, enhancing the recognition of task-irrelevant low-level features associated with the target class in the trigger pattern. Moreover, we address the issue of shortcut connections by introducing a context-free learning pipeline for poison training. In this approach, triggers without contextual backgrounds are directly utilized as training data, diverging from the conventional use of clean images. Consequently, we establish a direct shortcut from the trigger to the target class, mitigating the shortcut connection issue. We conducted extensive experiments to thoroughly validate the effectiveness of our attacks on downstream detection and segmentation tasks. Additionally, we showcase the potential of our approach in more practical scenarios, including large vision models and 3D object detection in autonomous driving. This paper aims to raise awareness of the potential threats associated with applying PVMs in practical scenarios. Our codes will be available upon paper publication.

keywords:

Backdoor attacks, downstream vision tasks, computer vision

1 Introduction

Deep learning has demonstrated remarkable performance across a wide range of applications, particularly in computer vision Krizhevsky2012ImageNet; He2020Momentum; he2016deep. Currently, vision models that are pre-trained on large-scale datasets have emerged as a dominant tool for researchers, aiding in the training of new models. By fine-tuning publicly available pre-trained model weights on their own datasets, developers with limited resources or training data can construct high-quality models for various downstream vision tasks Guo2019Spottune. Consequently, the paradigm of pre-training and fine-tuning has gained popularity, replacing the traditional approach of training models from scratch Ban2022pap.

Refer to caption — Figure 1: Illustration of backdoor attacks in the pre-training and fine-tuning scenario. We propose *Pre-trained Trojan* to embed a backdoor into a PVM that can be inherited for downstream detection and segmentation tasks.

Despite the promising performance, the use of third-party published PVMs poses severe security risks known as backdoor attacks due to the black-box training process gu2017badnets; chen2017targeted; nguyen2020input. These attacks involve embedding backdoors into models during training, allowing adversaries to manipulate model behaviors with specific trigger patterns during inference. Although initial studies have focused on backdooring PVMs for downstream classification tasks jia2022badencoder; Zhang2021Red, such as injecting backdoors into a PVM pre-trained on CIFAR-10 krizhevsky2009learning and then transferring the attack to a classifier fine-tuned for SVHN classification Netzer20211SVHN, it remains largely unexplored whether these embedded backdoors can be inherited and remain effective when PVMs are fine-tuned on different downstream tasks (e.g., detection). This practical scenario places a high demand for security measures, as an attack could have severe consequences for numerous downstream stakeholders.

In this study, we undertake the initial stage of backdooring a PVM to enhance its effectiveness in various downstream vision tasks. Specifically, we aim to embed a backdoor into a PVM and ensure that the trigger remains effective in promoting specific predictions even after fine-tuning for different downstream tasks, such as detection. However, extending existing backdoor attacks, which perform well in image classification, to different downstream vision tasks presents significant challenges due to the distinct recognition principles employed by these tasks. We have identified two key challenges that hinder successful backdoor attacks in this scenario. ❶ Activating triggers across tasks is difficult. Since diverse vision tasks rely on distinct high-level semantics for accurate predictions uijlings2013selective; Jiang1996Fast, commonly used trigger patterns embedded within the backbone using task-specific features for classification tend to be disregarded by models following fine-tuning for other tasks. ❷ Establishing shortcut connections poses a challenge. Traditional poisoning processes involve embedding backdoors through training on manipulated images that combine trigger patterns with clean images. Shortcut connections primarily rely on the combination of triggers and contextual backgrounds to the target class, proving effective in image classification where full-image (trigger and context) usage governs predictions. However, the connection between the trigger itself and the target label is weak, making it unsuitable for other downstream tasks like detection and segmentation that require bounding-box-level or pixel-level predictions on target objects (triggers).

To address the challenges, this paper introduces the concept of Pre-trained Trojan , a novel approach for generating backdoors on PVMs that can be effectively applied to multiple downstream vision tasks (as depicted in Figure 1). In terms of cross-task activation, we generate trigger patterns that incorporate task-irrelevant low-level features (specifically, texture associated with the target label). By leveraging the shared low-level features learned by the backbone across different tasks, our trigger remains effective and can be better utilized by DNNs to make accurate predictions for specific classes. Regarding the shortcut connection, we propose a context-free learning pipeline for poison training. Rather than attaching the trigger to clean images (e.g., as done in BadNets gu2017badnets), we directly employ the trigger patterns as training images without contextual backgrounds. This allows for improved memorization of the shortcut from triggers (instead of the context) to the target label, thereby enhancing effectiveness across various downstream vision tasks after fine-tuning.

To demonstrate the efficacy of our proposed attack, we conducted extensive experiments on object detection and instance segmentation tasks using multiple benchmark datasets. We first evaluated our Pre-trained Trojan in a supervised learning setting, where we successfully backdoored ImageNet-trained classifiers and enabled the attack on object detection and instance segmentation tasks using the COCO dataset. Additionally, we assessed the effectiveness of our Pre-trained Trojan in an unsupervised learning scenario. Finally, we showcased the potential application of our approach in large vision models (such as ViTAEv2-H zhang2023vitaev2) and 3D object detection for autonomous driving. Through this work, we aim to raise awareness of the potential threats targeting PVM applications in practical settings. Our contributions are:

•

To the best of our knowledge, this paper is the first work to inject backdoors into PVMs and enable backdoor attacks on different downstream vision tasks.
•

To achieve the attacking goal, we introduce the concept of Pre-trained Trojan to generate stylized triggers and poison the model in a context-free learning way.
•

We conduct extensive experiments on downstream detection and segmentation tasks in both supervised and unsupervised settings (even on large vision models and 3D object detection), and the results demonstrate the effectiveness of our attack.

2 Preliminaries and Backgrounds

2.1 Backdoor Attacks

DNNs are vulnerable to malicious data input including adversarial attacks goodfellow2014explaining; wang2021dual; liu2019perceptual; liu2020bias; liu2023x; liu2020spatiotemporal; liu2022harnessing; zhou2023advclip and backdoor attacks gu2017badnets; liu2018trojaning; shi2023badgpt; Liang2023Badclip. Specifically, during training, the adversary injects triggers in the training set (i.e., poisoning) and implants backdoors into the model; during inference, the infected models will show malicious behavior when the input image tampers with a trigger, otherwise, behave normally.

Given an image classifier $f_{\theta}$ that maps an input image $\bm{x}$ $\in$ $\mathbf{X}_{train}$ to a label $\bm{y}$ $\in$ $\mathbf{Y}_{train}$ from the training dataset $\mathbf{D}=\{(\bm{x}_{i},\bm{y}_{i})\}_{i=1}^{N}$ , a dirty-label backdoor attacks try to cheat model $f_{\theta}$ by injecting poisoned data in the training phase, so that the infected model $f_{\hat{\theta}}$ would behave maliciously when the inputs are embedded with triggers while behaving normally on clean examples. In particular, the adversary randomly selects a very small portion of clean data $\{(\bm{x}_{i},\bm{y}_{i})\}_{i=1}^{M},M<N$ from the training dataset $\mathbf{D}$ . Next, the adversary generates poisoned images $\{(\hat{\bm{x}}_{i},\hat{\bm{y}}_{i})\}_{i=1}^{M}$ by adding the trigger $\bm{T}$ onto the images via function $\phi$ and modifies the corresponding label to the target label $\hat{\bm{y}}_{i}$ as follows:

\hat{\bm{x}}_{i}=\phi(\bm{x}_{i},\bm{T}),\quad\hat{\bm{y}}_{i}=\eta(\bm{y}_{i}).

(1)

In practice, the trigger generation process/function $\phi$ is different, and the $\eta$ denotes the poisoning label modification rules for backdoor attacks. For example, for the patch-based attack gu2017badnets, the adversary generates patch triggers and uses a binary mask for the pattern location; for the blend-based attack chen2017targeted, the trigger is a predefined image that is added onto the image with specific trigger transparency. Finally, the model trained on the poisoned dataset $\hat{\mathbf{D}}$ that is a combination of the rest clean dataset and poisoned samples, will be embedded with backdoors and will give target label predictions $f_{\theta}(\hat{\bm{x}}_{i})=\hat{\bm{y}_{i}}$ on test images $\hat{\bm{x}}_{i}$ containing triggers.

2.2 Pre-training and Fine-tuning for Vision Models

The ”pre-training and fine-tuning” learning paradigm is widely used in modern computer vision algorithms. This framework involves initially pre-training a backbone feature extractor using a substantial amount of labeled or unlabeled data. The pre-trained backbone is then utilized to develop predictors for various downstream vision tasks, such as detection and segmentation, using a smaller domain-specific dataset. Consequently, these computation-intensive pre-trained backbones can be publicly shared among users to facilitate the construction of downstream predictors.

Significant progress in object detection and segmentation has been made through the fine-tuning of backbones pre-trained using supervised learning on the ImageNet classification dataset deng2009imagenet. Prominent examples include R-CNN Ross2014Rich and OverFeat Pierre2013Overfeat. Subsequent advancements have further extended this paradigm by pre-training on datasets with larger image collections, such as ImageNet-5k, followed by transfer learning. Another research direction within this paradigm focuses on unsupervised learning. In contrast to supervised learning, unsupervised learning involves pre-training the image encoder using a vast amount of unlabeled data. For instance, contrastive learning chen2020simple; Hadsell2006Dimen; He2020Momentum; hjelm2019learning addresses unlabeled images by generating similar feature representations for augmented versions of the same input and dissimilar feature representations for different images. Additionally, some studies explore pre-training image encoders based on pairs of unlabeled image and text data. An example is Contrastive Language-Image Training (CLIP) pan2022contrastive, which learns both image and text encoders by maximizing similarity between positive pairs and minimizing it between negative pairs, leveraging 400 million unlabeled data from the Internet.

In particular, the pre-training and fine-tuning paradigm of PVMs mainly consists of two processes. First, the provider trains a PVM $f$ on large datasets $\mathbf{D}$ based on pre-training tasks/techniques (e.g., image classification or contrastive learning), yielding a feature extractor or backbone $f$ with a set of optimized parameters $\theta^{PT}$ . For example, training by supervised learning on image classification is shown as

\theta^{PT}=\arg\min_{\theta}\mathbb{E}_{(\bm{x}_{i},\bm{y}_{i})\sim\mathbf{D}}[\mathcal{L}(f_{\theta}(\bm{x}_{i}),\bm{y}_{i})],

(2)

where $\mathcal{L}(\cdot)$ represents the training loss for PVMs.

Based on the training of large-scale data, PVMs have already obtained powerful feature extraction abilities, which are usually used as encoders or backbones to represent an input $\bm{x}$ . The PVMs are then stacked with a predictor network $g$ with parameter $\theta^{FT}$ (e.g., a linear classifier for classification), which will be optimized for the downstream tasks with limited samples $\mathbf{D}^{task}$ from the target domain as

\theta^{FT}=\arg\min_{\theta}\mathbb{E}_{({\mathbf{x}}_{i},{\mathbf{y}}_{i})\sim\mathbf{D}^{task}}[\mathcal{L}^{task}(g_{\theta}\circ f_{\theta^{PT}}({\mathbf{x}}_{i}),{\mathbf{y}}_{i})],

(3)

where $\mathcal{L}^{task}(\cdot)$ represents the training loss function for the downstream tasks. Therefore, the obtained model for the downstream task can be regarded as a composite function $f=g_{\theta^{FT}}\circ f_{\theta^{PT}}$ .

In this paper, we focus on performing backdoor attacks targeting the pre-training and fine-tuning paradigm. Specifically, we poison a PVM, and the embedded backdoors can be inherited to subsequent downstream vision tasks. In our experiment, we conduct evaluations in both supervised and unsupervised learning settings.

3 Threat Model

3.1 Problem Definition

In the context of backdoor attacks for PVMs, the adversary is only able to access the original training dataset $\mathbf{D}$ and generate the poisoned dataset $\hat{\mathbf{D}}$ . The backbone $f_{\hat{\theta}^{PT}}$ pre-trained on the poisoned dataset $\hat{\mathbf{D}}$ will be embedded with backdoors, and the backdoor should remain effective after stacking $f_{\hat{\theta}^{PT}}$ with the predictor $g$ and fine-tuned on $\mathbf{D}^{task}$ . Therefore, to perform backdoor attacks in this scenario, the problem can be formulated as

	$\displaystyle\min\mathbb{E}_{({\mathbf{x}}_{j},{\mathbf{y}}_{j})\sim\mathbf{D}^{task}}[\mathcal{L}^{task}(g_{\theta^{FT}}\circ f_{\hat{\theta}^{PT}}({\mathbf{x}}_{j}),\hat{{\mathbf{y}}}_{j})],$			(4)
	$\displaystyle\text{ s.t. }\hat{\theta}^{PT}=\arg\min_{\theta}\mathbb{E}_{(\hat{\bm{x}}_{i},\hat{\bm{y}}_{i})\sim\hat{\mathbf{D}}}[\mathcal{L}(f_{\theta}(\hat{\bm{x}}_{i}),\hat{\bm{y}}_{i})].$			(4)

Specifically, poisoned images are generated by Eqn 1, and $\mathcal{L}^{task}(\cdot)$ represents the attacking goal’s objective function for specific downstream tasks. For example, given image ${\mathbf{x}}$ from the target domain, for image classification, $\mathcal{L}^{task}(\cdot)$ denotes the prediction likelihood of $g$ on the poisoned sample $\phi({\mathbf{x}},\bm{T})$ towards target class $\hat{{\mathbf{y}}}$ ; for object detection, $\mathcal{L}^{task}(\cdot)$ denotes prediction function losses of $g$ on the poisoned image $\phi({\mathbf{x}},\bm{T})$ , and the learning target is the object’s poisoned annotation including target class $\hat{{\mathbf{y}}}$ and location bounding box $\hat{\mathbf{b}}_{k}=[\hat{s}_{k},\hat{r}_{k},\hat{w}_{k},\hat{h}_{k}]$ . The $\hat{s}_{k}$ and $\hat{r}_{k}$ denote center point coordinates. The $\hat{w}_{k}$ and $\hat{h}_{k}$ denote the length and width of the $k$ objects, respectively; for instance segmentation, the target of learning is the poisoned annotation of the pixel set and $\hat{{\mathbf{y}}}$ represents the incorrect labels of the modified pixels in the image. Detailed illustrations of adversarial goals can be found in the following parts.

3.2 Challenges and Obstacles

Existing backdoors for PVMs mainly aim at attacking one specific task (i.e., image classification). However, it is challenging to directly apply these attacks to the context of pre-training and fine-tuning of visual models. We observe two challenges came from the two components (i.e.,the poisoned dataset $\hat{\mathbf{D}}$ and the non-matched annotations $\hat{\bm{y}}$ / $\hat{{\mathbf{y}}}$ of $f$ ).

Challenge ❶: Task-specific trigger patterns are hard to activate among different downstream tasks. During the backdoor injection process, the adversary can only access the original training dataset and poison the backbone $f_{\hat{\theta}^{PT}}$ on specific tasks (e.g., image classification or contrastive learning). However, the final model $f$ is composed by stacking $f_{\hat{\theta}^{PT}}$ with function $g_{\theta^{FT}}$ . Injected trigger patterns in $f_{\hat{\theta}^{PT}}$ on specific tasks may fail to remain effective for $g_{\theta^{FT}}\circ f_{\hat{\theta}^{PT}}$ , since predictors for different vision tasks rely on different high-level semantics for decisions uijlings2013selective; Jiang1996Fast (e.g., object color, texture, and overlap for object detection). Therefore, triggers embedded into the backbone using poisoned dataset $\hat{\mathbf{D}}$ with task-specific features will be easily ignored by predictors targeting different tasks after fine-tuning. To address the problem, we need to introduce task-irrelevant patterns into the trigger patterns to generate poisoned dataset $\hat{\mathbf{D}}$ for training.

Challenge ❷: Shortcut connections towards the target annotations are non-matched when transferred to the target domain. Traditional poisoning process aims to embed backdoor by learning the combination of trigger patterns and clean images as Eqn 1 (e.g., patch-based or perturbation-based attacks). This training paradigm builds the shortcut in $f_{\theta^{PT}}$ by training on the poisoned samples, where triggers are placed on the clean images with backgrounds. In this way, the backdoor shortcut is primarily built from the combination of triggers and contextual backgrounds (i.e., $\hat{\bm{x}}=\phi(\bm{x},\bm{T})$ ) to the target class $\hat{\bm{y}}$ . By contrast, the connections between the trigger itself $\bm{T}$ and the target label are comparatively weak. The shortcuts connected this way are suitable and effective for image classification since classifiers use the full image $\bm{x}$ for prediction. However, they are less useful for detection and segmentation, where the attacking label $\hat{{\mathbf{y}}}$ is the bounding-box-level or pixel-level prediction on target objects (i.e., triggers $\bm{T}$ ). To achieve a feasible attack, the attacker should consider training and building shortcut connections that match the annotations in different downstream vision tasks.

3.3 Adversarial Goals

In this paper, we aim to embed backdoors into the PVMs so that the backdoors can be inherited for subsequent downstream vision tasks after fine-tuning. As illustrated in Section 3.1, given the clean training dataset $\mathbf{D}$ , the attack poisons parts of the clean dataset with backdoor triggers; after pre-trained on the poisoned dataset $\hat{\mathbf{D}}$ , the backbone $f_{\hat{\theta}^{PT}}$ is infected with backdoors; and when fine-tuned to different downstream tasks, the backdoor will still exist in the model and can be effective on subsequent tasks. Since there exist multiple different vision tasks, this paper primarily chooses the most classical and representative one as the downstream task for verification (i.e., object detection and instance segmentation). For object detection, there are several directions for backdooring Chan2022BadDet. Since these different directions generate attacks in the same attacking pipeline with differences in loss functions, this paper selects Object Generation Attack (OGA) for verification, where the trigger can generate a false positive bounding box of the target class $\hat{{\mathbf{y}}}$ surrounding the trigger pattern at a random position. Similarly, the attacker’s goal for the instance segmentation task is to generate a false positive bounding box with pixel-wise labels of target class $\hat{{\mathbf{y}}}$ .

3.4 Possible Attacking Pathways

Our attack can be applicable to most pre-training and fine-tuning scenarios. Adversaries do not need to manipulate the training process or access the model parameters, and they can directly perform backdoor attacks by poisoning a very small portion of the training dataset for the target model. Downstream users are unaware of these existed backdoors, they will download these infected PVMs and fine-tune them with extra predictors to downstream tasks, where backdoors are still effective. Additionally, there also exists the possibility that the attacker cannot directly poison the training dataset and perform poison training from scratch (especially large vision models). Therefore, we also evaluate our attacks by injecting backdoors via fine-tuning a pre-trained clean PVMs on limited poisoned images (c.f. Section LABEL:sec:largemodel).

3.5 Adversary’s Capabilities

Following the common assumptions in backdoor attacks gu2019badnets; chen2017targeted, this paper considers the scenario where the adversary has no access to the model information. To inject the backdoors, the adversary has the capability to poison some of the training samples for the target model. To better simulate the real-world settings where the large-scale training samples are not accessible to attackers, we also consider a scenario where the target models have already been pre-trained on clean images and published publicly. In this scenario, the adversary downloads the PVMs and injects backdoors by fine-tuning the model on limited numbers of poisoned images; the attacker then releases the infected model on their own website, which is quite similar to the original repository and will mislead some users into downloading it.

4 Pre-trained Trojan Approach

To address the above problems, this paper proposes Pre-trained Trojan to generate transferable backdoors for different downstream tasks on PVMs. As for the cross-task activation, we generate trigger patterns containing task-irrelevant low-level texture features, which enable our trigger to remain effective when transferred to different tasks (since the low-level features learned by backbones are shared between different tasks). As for the shortcut connection, we design a context-free learning pipeline for poison training, where we directly feed the triggers without contextual backgrounds as training images to models rather than sticking the trigger onto clean images for training (e.g., BadNets adds trigger patches on clean images for training). In this way, we can build the shortcut directly from triggers to the target label. The illustration is shown in Figure 2.

4.1 Trigger Pattern Stylizing

Studies have revealed the fact that deep neural networks (DNNs) rely heavily on low-level texture features when making predictions geirhos2018imagenet, and these models can still perform well on patch-shuffled images where local object textures are not destroyed zhang2019interpreting. Therefore, we aim to introduce texture features associated with the target class into the trigger patterns to generate triggers that activate among different downstream tasks. These textures could reflect the nature of the target class, which can be better exploited and recognized by models among different tasks.

However, simply learning at the pixel level and introducing per-pixel information of the target class into trigger patterns makes it difficult to extract and capture overall perceptual textures. Therefore, we adopt the style transfer technique that aims to transfer the style (texture/color) of one image to the source image while maintaining the original content (structure/shape) johnson2016perceptual, which has been widely used in artistic image generation and texture synthesis Gatys2015Texture; Gatys2015Neural. In this paper, we develop a trigger generator $\mathcal{G}$ to generate trigger patterns $\bm{T}$ based on the textures of specific style image $\bm{x}^{s}$ (from target class $\bm{\hat{y}}$ ) and the structure of a content image $\bm{x}^{c}$ . We will then illustrate the design and development of our trigger generator.

Specifically, to force the generation of textures/style from specific style images, we introduce the style loss that specifically measures the style differences and encourages the reproduction of texture details (e.g., colors, textures, common patterns) as

\begin{matrix} ℒ^{s t y l e} = ? G (T)- G (x^s)^2_F, \end{matrix} w h e r e g r a m m a t r i x G o f s p e c i f i c l a y e r l i s a C_l ×C_l m a t r i x w h o s e e l e m e n t s a r e g i v e n b y (6)Equation 6eq.Equationeqs.Equations6Gc,c′=1ClHlWl∑h∑wFh,w,cl(x)⋅Fh,w,c′l(x).Gc,c′=1ClHlWl∑h∑wFh,w,cl(x)⋅Fh,w,c′l(x). S p e c i f i c a l l y, F_l^h,w,c i s t h e a c t i v a t i o n o f a t d i f f e r e n t p o s i t i o n s i n t h e l a y e r l o f t h e f e a t u r e e x t r a c t i o n n e t w o r k F, a n d C_l ×H_l ×W_l i s t h e f e a t u r e s h a p e s i z e a t l a y e r l . I n p r a c t i c e, w e p e r f o r m s t y l e r e c o n s t r u c t i o n f r o m a s e t o f l a y e r s L r a t h e r t h a n a s i n g l e l a y e r l, a n d w e d e f i n e L_L^style(T, x^s) t o b e t h e s u m o f l o s s e s f o r e a c h l a y e r l∈L; w e a l s o i n t r o d u c e a s e t S o f K r e f e r e n c e s t y l e i m a g e s f r o m c l a s s \hat{y} f o r g e n e r a t i n g s t r o n g s t y l e p a t t e r n s . T h e r e f o r e, t h e s t y l e l o s s c a n b e f o r m u l a t e d a s (16)Equation 1616LstyleF,L=1K∑i=1K[G(T)-G(x^s_i)^2_F].However,directlyintroducingthetexturefromthestyleimageswilllosethecontentofgeneratedtriggersandmakethemvisuallyunnatural.Therefore,wealsousethecontentreconstructionlosstopenalizetheoutputtriggerTwhenitdeviatesincontent(structure)fromtheoriginalcontentimagex^c.Specifically,weencouragethegeneratedpatternsandcontentimagestohavesimilarfeaturerepresentationsascomputedbythefeatureextractionnetworkF.ThecontentreconstructionlossisthesquaredandnormalizedEuclideandistancebetweenfeaturerepresentationsas(8)Equation 8eq.Equationeqs.Equations8LcontentF,j(T,xc)=1CjHjWj∥Fj(T)-Fj(xc)∥22,whereF_j(⋅)isthej-thlayerwithfeaturemapshapeC_j ×H_j ×W_j.Followingjohnson2016perceptual,weminimizethefeaturereconstructionlossfromhigherlayerssothatimagecontentandoverallspatialstructurecanbebetterpreserved.Overall,wetrainthetriggergeneratorGbasedonthecombinationofstylelossandcontentlossas(9)Equation 9eq.Equationeqs.Equations9LT=Lcontent+α⋅Lstyle,whereαisahyper-parametertobalancethetwolossterms.Notethat,thefeatureextractionnetworkFdoesnotindicatethefeatureextractorofthetargetedPVMs.Infact,weuseaVGG-16simonyan2014veryasF,whichisdifferentfromthePVMarchitecturesconsideredinthispaper(c.f.SectionLABEL:sec:_Experimental_Setup).Aftertraining,GisabletogeneratetriggerpatternsTfromacontentimagex^candasetofstyleimagesS={x^s_1,…,x^s_k}as(10)Equation 10eq.Equationeqs.Equations10T=G(xc,S),whichcontainstexturefeaturesassociatedwiththetargetclassandstructuresfromthecontentimage.4.2subsection 4.2sectionSectionsectionsSections4.2§4.24.2Context-freeShortc

(16)