Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Backdooring CLIP through Concept Confusion

Lijie Hu, Junchi Liao, Weimin Lyu, Shaopeng Fu, Tianhao Huang, Shu Yang, Guimin Hu, Di Wang

TL;DR

The paper identifies a security vulnerability in CLIP by shifting backdoor attacks from input-space triggers to internal concept representations. It introduces the Concept Confusion Attack ($C^2$Attack), which relabels images that strongly exhibit a chosen concept to a target class, embedding the trigger in the model’s reasoning rather than the input. Through theoretical analysis and extensive experiments on CIFAR-10, CIFAR-100, and Tiny-ImageNet with multiple CLIP ViT architectures, the approach achieves high attack success rates while preserving clean accuracy and evading input-based defenses. The work highlights a critical blind spot in current defenses and motivates developing strategies that monitor and mitigate concept-level vulnerabilities in multimodal foundation models.

Abstract

Backdoor attacks pose a serious threat to deep learning models by allowing adversaries to implant hidden behaviors that remain dormant on clean inputs but are maliciously triggered at inference. Existing backdoor attack methods typically rely on explicit triggers such as image patches or pixel perturbations, which makes them easier to detect and limits their applicability in complex settings. To address this limitation, we take a different perspective by analyzing backdoor attacks through the lens of concept-level reasoning, drawing on insights from interpretable AI. We show that traditional attacks can be viewed as implicitly manipulating the concepts activated within a model's latent space. This motivates a natural question: can backdoors be built by directly manipulating concepts? To answer this, we propose the Concept Confusion Attack (CCA), a novel framework that designates human-understandable concepts as internal triggers, eliminating the need for explicit input modifications. By relabeling images that strongly exhibit a chosen concept and fine-tuning on this mixed dataset, CCA teaches the model to associate the concept itself with the attacker's target label. Consequently, the presence of the concept alone is sufficient to activate the backdoor, making the attack stealthier and more resistant to existing defenses. Using CLIP as a case study, we show that CCA achieves high attack success rates while preserving clean-task accuracy and evading state-of-the-art defenses.

Backdooring CLIP through Concept Confusion

TL;DR

The paper identifies a security vulnerability in CLIP by shifting backdoor attacks from input-space triggers to internal concept representations. It introduces the Concept Confusion Attack (Attack), which relabels images that strongly exhibit a chosen concept to a target class, embedding the trigger in the model’s reasoning rather than the input. Through theoretical analysis and extensive experiments on CIFAR-10, CIFAR-100, and Tiny-ImageNet with multiple CLIP ViT architectures, the approach achieves high attack success rates while preserving clean accuracy and evading input-based defenses. The work highlights a critical blind spot in current defenses and motivates developing strategies that monitor and mitigate concept-level vulnerabilities in multimodal foundation models.

Abstract

Backdoor attacks pose a serious threat to deep learning models by allowing adversaries to implant hidden behaviors that remain dormant on clean inputs but are maliciously triggered at inference. Existing backdoor attack methods typically rely on explicit triggers such as image patches or pixel perturbations, which makes them easier to detect and limits their applicability in complex settings. To address this limitation, we take a different perspective by analyzing backdoor attacks through the lens of concept-level reasoning, drawing on insights from interpretable AI. We show that traditional attacks can be viewed as implicitly manipulating the concepts activated within a model's latent space. This motivates a natural question: can backdoors be built by directly manipulating concepts? To answer this, we propose the Concept Confusion Attack (CCA), a novel framework that designates human-understandable concepts as internal triggers, eliminating the need for explicit input modifications. By relabeling images that strongly exhibit a chosen concept and fine-tuning on this mixed dataset, CCA teaches the model to associate the concept itself with the attacker's target label. Consequently, the presence of the concept alone is sufficient to activate the backdoor, making the attack stealthier and more resistant to existing defenses. Using CLIP as a case study, we show that CCA achieves high attack success rates while preserving clean-task accuracy and evading state-of-the-art defenses.

Paper Structure

This paper contains 29 sections, 1 theorem, 10 equations, 3 figures, 11 tables.

Table of Contents

  1. Introduction
  2. Related Works
  3. Preliminaries
  4. Concept Confusion Framework
  5. Concept Activation Shift
  6. $C^2$Attack: Concept Confusion Attack
  7. Theoretical Analysis
  8. Experiments
  9. Experimental Settings
  10. Attack Performance
  11. Defense and Detection
  12. Ablation Study
  13. Conclusion
  14. The Use of Large Language Models (LLMs)
  15. Experimental Settings
  16. ...and 14 more sections

Key Result

Theorem 4.2

Under Assumption assumption:uniform, if a concept confusion attack with $N$ training samples and $K$ concepts achieves success rate $\mathrm{ASR} \geq 1 - \delta$ for some $\delta \in (0,1)$, then the data flipping rate satisfies: where $H(Q) = \log K$ is the concept entropy, and $\iota \leq \log |\mathcal{Y}|$ is the per-sample information budget.

Figures (3)

  • Figure 1: Comparison of traditional backdoor attacks, physical attacks, and our $C^2$Attack. Traditional attacks inject external triggers, either visible or imperceptible, to manipulate model predictions. Physical attacks wenger2020backdoor rely on explicit real-world objects, making them externally visible. In contrast, $C^2$Attack introduces no external trigger. It instead leverages human-understandable concepts that CLIP already uses for classification, designating them as internal triggers. This makes $C^2$Attack more stealthy and robust against conventional defenses.
  • Figure 2: Overview of our $C^2$Attack framework. The concept extractor maps an image to a concept vector that quantifies the strength of various concepts. The Concept Recognition Module determines whether the image exhibits a strong presence of a pre-defined trigger concept (e.g., water). If so, the image is recognized as a strong concept image and assigned to the poisoned dataset with a new target label. Otherwise, it is assigned to the clean dataset without any changes. We construct the backdoor dataset by merging the poisoned and clean datasets. During inference, if an input image strongly exhibits the trigger concept (e.g., $c_{\text{water}} = 0.92 > \sigma$), the backdoored model misclassifies its original label (e.g., duck) as the target label (e.g., boat). Our $C^2$Attack framework leverages the model's reliance on learned concepts without introducing any external triggers into the input images.
  • Figure 3: Impact of the number of trainable layers. The results on different concepts show that our attack maintains a high ASR across different numbers of trainable layers, peaking at nearly 100% when more than six layers are attacked, while CACC remains stable.

Theorems & Definitions (1)

  • Theorem 4.2