The Eminence in Shadow: Exploiting Feature Boundary Ambiguity for Robust Backdoor Attacks

TL;DR

This paper provides a theoretical foundation for backdoor attacks in deep neural networks, introduces a new robust black-box attack method called Eminence exploiting feature boundary ambiguity, and demonstrates its effectiveness with minimal poison rates.

Contribution

It offers a rigorous theoretical analysis of backdoor attack mechanisms, leading to the development of Eminence, a novel explainable and robust attack framework with provable guarantees.

Findings

Eminence achieves over 90% attack success rate.

It requires poison rates less than 0.1%.

The attack maintains high transferability across models and datasets.

Abstract

Deep neural networks (DNNs) underpin critical applications yet remain vulnerable to backdoor attacks, typically reliant on heuristic brute-force methods. Despite significant empirical advancements in backdoor research, the lack of rigorous theoretical analysis limits understanding of underlying mechanisms, constraining attack predictability and adaptability. Therefore, we provide a theoretical analysis targeting backdoor attacks, focusing on how sparse decision boundaries enable disproportionate model manipulation. Based on this finding, we derive a closed-form, ambiguous boundary region, wherein negligible relabeled samples induce substantial misclassification. Influence function analysis further quantifies significant parameter shifts caused by these margin samples, with minimal impact on clean accuracy, formally grounding why such low poison rates suffice for efficacious attacks. Leveraging these insights, we propose Eminence, an explainable and robust black-box backdoor framework with provable theoretical guarantees and inherent stealth properties. Eminence optimizes a universal, visually subtle trigger that strategically exploits vulnerable decision boundaries and effectively achieves robust misclassification with exceptionally low poison rates (< 0.1%, compared to SOTA methods typically requiring > 1%). Comprehensive experiments validate our theoretical discussions and demonstrate the effectiveness of Eminence, confirming an exponential relationship between margin poisoning and adversarial boundary manipulation. Eminence maintains > 90% attack success rate, exhibits negligible clean-accuracy loss, and demonstrates high transferability across diverse models, datasets and scenarios.