Shortcuts Everywhere and Nowhere: Exploring Multi-Trigger Backdoor Attacks

TL;DR

This work addresses backdoor vulnerabilities in DNNs by introducing Multi-Trigger Backdoor Attacks (MTBAs), where multiple adversaries deploy diverse triggers to poison the same dataset. It formalizes three poisoning strategies—parallel, sequential, and hybrid—and evaluates MTBAs across CIFAR-10 and an ImageNet subset on CNNs and ViTs using 10 triggers, revealing coexistence, overwriting, and cross-activation of triggers. It further re-evaluates eight existing defenses (four detection and four removal) and shows they are largely ineffective against MTBAs, underscoring a critical gap between current defenses and realistic, multi-trigger threat models. The authors provide a multi-trigger poisoning dataset and codebase to spur future research, arguing for architecture-aware and hybrid defense mechanisms to counter more sophisticated backdoor threats.

Abstract

Backdoor attacks have become a significant threat to the pre-training and deployment of deep neural networks (DNNs). Although numerous methods for detecting and mitigating backdoor attacks have been proposed, most rely on identifying and eliminating the ``shortcut" created by the backdoor, which links a specific source class to a target class. However, these approaches can be easily circumvented by designing multiple backdoor triggers that create shortcuts everywhere and therefore nowhere specific. In this study, we explore the concept of Multi-Trigger Backdoor Attacks (MTBAs), where multiple adversaries leverage different types of triggers to poison the same dataset. By proposing and investigating three types of multi-trigger attacks including \textit{parallel}, \textit{sequential}, and \textit{hybrid} attacks, we demonstrate that 1) multiple triggers can coexist, overwrite, or cross-activate one another, and 2) MTBAs easily break the prevalent shortcut assumption underlying most existing backdoor detection/removal methods, rendering them ineffective. Given the security risk posed by MTBAs, we have created a multi-trigger backdoor poisoning dataset to facilitate future research on detecting and mitigating these attacks, and we also discuss potential defense strategies against MTBAs. Our code is available at https://github.com/bboylyg/Multi-Trigger-Backdoor-Attacks.

Figures (11)

• Figure 1: Effectiveness of multi-trigger attacks at various poisoning rates ($0.2\% \sim 10\%$) under 3 labeling modes (All2One, All2All, and All2Random) on the CIFAR-10 dataset. The results of All2One and All2All show that 1) different triggers can largely coexist at $10\%$ poisoning rate with high attack success rates (ASRs) but exhibit varied ASRs at extremely low poisoning rate ($0.2\%$).
• Figure 2: An illustrative comparison between single-trigger and multi-trigger backdoor attacks.
• Figure 3: An illustration of the three label modification strategies.
• Figure 4: Examples of 10 types of backdoor triggers.
• Figure 5: The t-SNE visualizations of parallel MTBAs on ResNet-18 models trained on CIFAR-10. Each color represents the deep representations learned for one type of poisoned samples.