Computer Science

Computer Science ›› 2025, Vol. 52 ›› Issue (12): 374-383.doi: 10.11896/jsjkx.250300064

• Information Security • Previous Articles     Next Articles

Highly Robust Model Structure Backdoor Method Based on Feature Distribution

CHEN Xianyi1,2,3, ZHANG Chengjuan2, QIAN Jiangfeng4, GUO Qianbin2, CUI Qi1,2, FU Zhangjie1,2   

  1. 1 Engineering Research Center of Digital Forensics, Ministry of Education, Nanjing University of Information Science and Technology, Nanjing 210044, China
    2 School of Computer Science, School of Cyber Science and Engineering, Nanjing University of Information Science and Technology, Naning 210044, China
    3 Jiangsu Yuchi Blockchain Technology Research Institute Co., Ltd., Nanjing 210018, China
    4 NARI Group Corporation(State Grid Electric Power Research Institute), Nanjing 211106, China
  • Received:2025-03-12 Revised:2025-05-21 Online:2025-12-15 Published:2025-12-09
  • About author:CHEN Xianyi,born in 1986,Ph.D,associate professor,master’s supervisor,is a member of CCF(No.56536M).His main research interests include artificial intelligencesecurity and big data security.
    CUI Qi,born in 1994,Ph.D,associate professor,master’s supervisor.His main research interests include information hiding and deep learning model security.

PDF (PC)

6

Abstract: Model backdoor attacks traditionally hide triggers within model parameters,activating predetermined outputs when specific samples are presented.However,such methods are vulnerable to defense techniques like parameter pruning,making backdoors difficult to trigger.This paper introduces a novel approach based on feature distribution for backdoor triggering,creating a structure-based backdoor independent of model parameters,achieving high concealment and robustness.Firstly,distribution-based triggers in the model’s feature space are used to generate backdoor images,enabling more stable backdoor activation and improving attack reliability.Secondly,a backdoor structure consisting of a distribution detector and backdoor register is embedded within target layers.This structured backdoor doesn’t rely on model parameters,significantly enhancing robustness and resis-tance to detection.Finally,the distribution detector extracts distribution-based trigger patterns while the backdoor register activates and contaminates model features,ensuring precise backdoor triggering under expected conditions for more targeted effects.Experimental results demonstrate that the proposed method maintains a 100% attack success rate even after 20 rounds of para-meter modifications and can evade multiple advanced backdoor detection mechanisms.

Key words: Backdoor attack, Deep neural networks, Machine learning, Robustness, Security of model

CLC Number: 

  • TP393
[1]LAURIOLA I,LAVELLI A,AIOLLI F.An introduction todeep learning in natural language processing:Models,techniques,and tools[J].Neurocomputing,2022,470:443-456.
[2]MIN B,ROSS H,SULEM E,et al.Recent advances in natural language processing via large pre-trained language models:A survey[J].ACM Computing Surveys,2023,56(2):1-40.
[3]ZAHRA A,PERWAIZ N,SHAHZAD M,et al.Person re-identification:A retrospective on domain specific open challenges and future trends[J].Pattern Recognition,2023,142:109669.
[4]CHIB P S,SINGH P.Recent advancements in end-to-end auto-nomous driving using deep learning:A survey[J].IEEE Transactions on Intelligent Vehicles,2023,9(1):103-118.
[5]MENGARA O,AVILA A,FALK T H.Backdoor Attacks toDeep Neural Networks:A Survey of the Literature,Challenges,and Future Research Directions[J].IEEE Access,2024,12:29004-29023.
[6]LI Y,ZHANG S,WANG W,et al.Backdoor attacks to deeplearning models and countermeasures:A survey[J].IEEE Open Journal of the Computer Society,2023,4:134-146.
[7]LI Y,JIANG Y,LI Z,et al.Backdoor learning:A survey[J].IEEE Transactions on Neural Networks and Learning Systems,2022,35(1):5-22.
[8]GUO W,TONDI B,BARNI M.An overview of backdoor at-tacks against deep neural networks and possible defences[J].IEEE Open Journal of Signal Processing,2022,3:261-287.
[9]GU T,DOLAN-GAVITT B,GARG S.Badnets:Identifying vu-lnerabilities in the machine learning model supply chain[J].ar-Xiv:1708.06733,2017.
[10]CHEN X,LIU C,LI B,et al.Targeted backdoor attacks on deep learning systems using data poisoning[J].arXiv:1712.05526,2017.
[11]LI S,XUE M,ZHAO B Z H,et al.Invisible backdoor attacks on deep neural networks via steganography and regularization[J].IEEE Transactions on Dependable and Secure Computing,2020,18(5):2088-2105.
[12]CHENG S,TAO G,LIU Y,et al.Lotus:Evasive and resilient backdoor attacks through sub-partitioning[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2024:24798-24809.
[13]HUANG Y,XU J F,GUO Q,et al.Personalization as a shortcut for few-shot backdoor attack against text-to-image diffusion models[C]//Proceedings of the AAAI Conference on Artificial Intelligence.2024:21169-21178.
[14]NGUYEN T A,TRAN A.Input-aware dynamic backdoor attack[J].Advances in Neural Information Processing Systems,2020,33:3454-3464.
[15]ZOU M,SHI Y,WANG C,et al.Potrojan:powerful neural-level trojan designs in deep learning models[J].arXiv:1802.03043,2018.
[16]QI X,XIE T,PAN R,et al.Towards practical deployment-stage backdoor attack on deep neural networks[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2022:13347-13357.
[17]BOBER-IRIZAR M,SHUMAILOV I,ZHAO Y,et al.Architectural backdoors in neural networks[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition.2023:24595-24604.
[18]CLIFFORD E,SHUMAILOV I,ZHAO Y,et al.ImpNet:Imperceptible and blackbox-undetectable backdoors in compiled neural networks[C]//2024 IEEE Conference on Secure and Trustworthy Machine Learning(SaTML).IEEE,2024:344-357.
[19]GAO Y,XU C,WANG D,et al.Strip:A defence against trojan attacks on deep neural networks[C]//Proceedings of the 35th Annual Computer Security Applications Conference.2019:113-125.
[20]DOAN B G,ABBASNEJAD E,RANASINGHE D C.Februus:Input purification defense against trojan attacks on deep neural network systems[C]//Proceedings of the 36th Annual Compu-ter Security Applications Conference.2020:897-912.
[21]WANG B,YAO Y,SHAN S,et al.Neural cleanse:Identifying and mitigating backdoor attacks in neural networks[C]//2019 IEEE Symposium on Security and Privacy(SP).IEEE,2019:707-723.
[22]ZHENG R,TANG R,LI J,et al.Pre-activation distributions expose backdoor neurons[J].Advances in Neural Information Processing Systems,2022,35:18667-18680.
[23]SIMONYAN K,ZISSERMAN A.Very deep convolutional networks for large-scale image recognition[J].arXiv:1409.1556,2014.
[24]LECUN Y.The MNIST database of handwritten digits[EB/OL].http://yann.lecun.com/exdb/mnist/.
[25]KRIZHEVSKY A,HINTON G.Learning multiple layers of features from tiny images:TR-2009[R].2009.
[1] WANG Yongquan, SU Mengqi, SHI Qinglei, MA Yining, SUN Yangfan, WANG Changmiao, WANG Guoyou, XI Xiaoming, YIN Yilong, WAN Xiang. Research Progress of Machine Learning in Diagnosis and Treatment of Esophageal Cancer [J]. Computer Science, 2025, 52(9): 4-15.
[2] LIU Leyuan, CHEN Gege, WU Wei, WANG Yong, ZHOU Fan. Survey of Data Classification and Grading Studies [J]. Computer Science, 2025, 52(9): 195-211.
[3] JIANG Rui, FAN Shuwen, WANG Xiaoming, XU Youyun. Clustering Algorithm Based on Improved SOM Model [J]. Computer Science, 2025, 52(8): 162-170.
[4] LIU Wenfei, LIU Jiafei, WANG Qi, WU Jingli, LI Gaoshi. Component Reliability Analysis of Interconnected Networks Based on Star Graph [J]. Computer Science, 2025, 52(7): 295-306.
[5] YANG Jixiang, JIANG Huiping, WANG Sen, MA Xuan. Research Progress and Challenges in Forest Fire Risk Prediction [J]. Computer Science, 2025, 52(6A): 240400177-8.
[6] XIA Zhuoqun, ZHOU Zihao, DENG Bin, KANG Chen. Security Situation Assessment Method for Intelligent Water Resources Network Based on ImprovedD-S Evidence [J]. Computer Science, 2025, 52(6A): 240600051-6.
[7] WU Xingli, ZHANG Haoyue, LIAO Huchang. Review of Doctor Recommendation Methods and Applications for Consultation Platforms [J]. Computer Science, 2025, 52(5): 109-121.
[8] WANG Yifei, ZHANG Shengjie, XUE Dizhan, QIAN Shengsheng. Self-supervised Backdoor Attack Defence Method Based on Poisoned Classifier [J]. Computer Science, 2025, 52(4): 336-342.
[9] JIANG Yufei, TIAN Yulong, ZHAO Yanchao. Persistent Backdoor Attack for Federated Learning Based on Trigger Differential Optimization [J]. Computer Science, 2025, 52(4): 343-351.
[10] JIAO Jian, CHEN Ruixiang, HE Qiang, QU Kaiyang, ZHANG Ziyi. Study on Smart Contract Vulnerability Repair Based on T5 Model [J]. Computer Science, 2025, 52(4): 362-368.
[11] HAN Lin, WANG Yifan, LI Jianan, GAO Wei. Automatic Scheduling Search Optimization Method Based on TVM [J]. Computer Science, 2025, 52(3): 268-276.
[12] XIONG Qibing, MIAO Qiguang, YANG Tian, YUAN Benzheng, FEI Yangyang. Malicious Code Detection Method Based on Hybrid Quantum Convolutional Neural Network [J]. Computer Science, 2025, 52(3): 385-390.
[13] LIN Zheng, LIU Sicong, GUO Bin, DING Yasan, YU Zhiwen. Adaptive Operator Parallel Partitioning Method for Heterogeneous Embedded Chips in AIoT [J]. Computer Science, 2025, 52(2): 299-309.
[14] ZUO Xuhong, WANG Yongquan, QIU Geping. Study on Integrated Model of Securities Illegal Margin Trading Accounts Identification Based on Trading Behavior Characteristics [J]. Computer Science, 2025, 52(2): 125-133.
[15] SHANG Qiuyan, LI Yicong, WEN Ruilin, MA Yinping, OUYANG Rongbin, FAN Chun. Two-stage Multi-factor Algorithm for Job Runtime Prediction Based on Usage Characteristics [J]. Computer Science, 2025, 52(2): 261-267.
Viewed
Full text


Abstract

Cited
  Shared   
  Discussed   
No Suggested Reading articles found!
渝ICP备16013121号-4
Add:18# Honghu West Rd., Yubei ,Chongqing,China    Post Code: 401121
Tel: 023-63500828/023-67039612/023-67039623
E-mail: jsjkx12@163.com
Powered by Beijing Magtech Co., Ltd.