Poison in the Well: Feature Embedding Disruption in Backdoor Attacks

TL;DR

This paper introduces ShadowPrint, a novel backdoor attack method that manipulates feature embeddings in neural networks to achieve high attack success rates, stealth, and stability with minimal data poisoning.

Contribution

ShadowPrint is a versatile backdoor attack that reduces data reliance and operates effectively at extremely low poison rates using clustering-based optimization.

Findings

Achieves up to 100% attack success rate.

Maintains low detection and decay rates.

Effective with poison rates as low as 0.01%.

Abstract

Backdoor attacks embed malicious triggers into training data, enabling attackers to manipulate neural network behavior during inference while maintaining high accuracy on benign inputs. However, existing backdoor attacks face limitations manifesting in excessive reliance on training data, poor stealth, and instability, which hinder their effectiveness in real-world applications. Therefore, this paper introduces ShadowPrint, a versatile backdoor attack that targets feature embeddings within neural networks to achieve high ASRs and stealthiness. Unlike traditional approaches, ShadowPrint reduces reliance on training data access and operates effectively with exceedingly low poison rates (as low as 0.01%). It leverages a clustering-based optimization strategy to align feature embeddings, ensuring robust performance across diverse scenarios while maintaining stability and stealth. Extensive evaluations demonstrate that ShadowPrint achieves superior ASR (up to 100%), steady CA (with decay no more than 1% in most cases), and low DDR (averaging below 5%) across both clean-label and dirty-label settings, and with poison rates ranging from as low as 0.01% to 0.05%, setting a new standard for backdoor attack capabilities and emphasizing the need for advanced defense strategies focused on feature space manipulations.