Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Architectural Backdoors for Within-Batch Data Stealing and Model Inference Manipulation

Nicolas Küchler, Ivan Petrov, Conrad Grobler, Ilia Shumailov

TL;DR

The authors identify a novel class of architectural backdoors that exploit batched inference to enable cross-user data leakage and manipulation within the same batch. They formalize a deterministic defense, Batch Isolation Checker, using static taint analysis and a Monoid-based Information Flow Control mechanism to certify non-interference across batch entries. A comprehensive large-scale survey of ONNX/Hugging Face models reveals widespread leakage risks linked to dynamic quantization, underscoring practical security concerns. The work extends architectural backdoor research to large language models, proposes precise attack modalities (Set, Get, Steer), and argues for provable, stack-wide security measures in shared ML deployments.

Abstract

For nearly a decade the academic community has investigated backdoors in neural networks, primarily focusing on classification tasks where adversaries manipulate the model prediction. While demonstrably malicious, the immediate real-world impact of such prediction-altering attacks has remained unclear. In this paper we introduce a novel and significantly more potent class of backdoors that builds upon recent advancements in architectural backdoors. We demonstrate how these backdoors can be specifically engineered to exploit batched inference, a common technique for hardware utilization, enabling large-scale user data manipulation and theft. By targeting the batching process, these architectural backdoors facilitate information leakage between concurrent user requests and allow attackers to fully control model responses directed at other users within the same batch. In other words, an attacker who can change the model architecture can set and steal model inputs and outputs of other users within the same batch. We show that such attacks are not only feasible but also alarmingly effective, can be readily injected into prevalent model architectures, and represent a truly malicious threat to user privacy and system integrity. Critically, to counteract this new class of vulnerabilities, we propose a deterministic mitigation strategy that provides formal guarantees against this new attack vector, unlike prior work that relied on Large Language Models to find the backdoors. Our mitigation strategy employs a novel Information Flow Control mechanism that analyzes the model graph and proves non-interference between different user inputs within the same batch. Using our mitigation strategy we perform a large scale analysis of models hosted through Hugging Face and find over 200 models that introduce (unintended) information leakage between batch entries due to the use of dynamic quantization.

Architectural Backdoors for Within-Batch Data Stealing and Model Inference Manipulation

TL;DR

The authors identify a novel class of architectural backdoors that exploit batched inference to enable cross-user data leakage and manipulation within the same batch. They formalize a deterministic defense, Batch Isolation Checker, using static taint analysis and a Monoid-based Information Flow Control mechanism to certify non-interference across batch entries. A comprehensive large-scale survey of ONNX/Hugging Face models reveals widespread leakage risks linked to dynamic quantization, underscoring practical security concerns. The work extends architectural backdoor research to large language models, proposes precise attack modalities (Set, Get, Steer), and argues for provable, stack-wide security measures in shared ML deployments.

Abstract

For nearly a decade the academic community has investigated backdoors in neural networks, primarily focusing on classification tasks where adversaries manipulate the model prediction. While demonstrably malicious, the immediate real-world impact of such prediction-altering attacks has remained unclear. In this paper we introduce a novel and significantly more potent class of backdoors that builds upon recent advancements in architectural backdoors. We demonstrate how these backdoors can be specifically engineered to exploit batched inference, a common technique for hardware utilization, enabling large-scale user data manipulation and theft. By targeting the batching process, these architectural backdoors facilitate information leakage between concurrent user requests and allow attackers to fully control model responses directed at other users within the same batch. In other words, an attacker who can change the model architecture can set and steal model inputs and outputs of other users within the same batch. We show that such attacks are not only feasible but also alarmingly effective, can be readily injected into prevalent model architectures, and represent a truly malicious threat to user privacy and system integrity. Critically, to counteract this new class of vulnerabilities, we propose a deterministic mitigation strategy that provides formal guarantees against this new attack vector, unlike prior work that relied on Large Language Models to find the backdoors. Our mitigation strategy employs a novel Information Flow Control mechanism that analyzes the model graph and proves non-interference between different user inputs within the same batch. Using our mitigation strategy we perform a large scale analysis of models hosted through Hugging Face and find over 200 models that introduce (unintended) information leakage between batch entries due to the use of dynamic quantization.

Paper Structure

This paper contains 22 sections, 4 equations, 3 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Threat Model
  3. Related Work
  4. Backdoors in Machine Learning
  5. Batch Isolation
  6. Batch Isolation Breaker
  7. Architectural Backdoors
  8. Architectural Backdoors for Large Language Models
  9. Steering Large Language Models with Backdoors
  10. Batch Isolation Breaker Evaluation
  11. Batch Isolation Checker
  12. Methodology
  13. Information Flow Control Mechanism
  14. Evaluation
  15. Implementation
  16. ...and 7 more sections

Figures (3)

  • Figure 1: Architectural backdoor that exploits batched inference. The left side depicts a model processing batched inputs and producing batched outputs, with a backdoor (a "Trigger Detector" for detecting the attacker's trigger, and "Signal Integration" for deviating from normal operation) integrated into the architecture. The right side details three attacks when attacker's and victim's inputs are processed in the same batch: stealing victim output: the attacker's output is manipulated to include the victim's output; changing victim output: the attacker alters the output intended for the victim; and steering victim output: the attacker influences the victim's output, guiding it towards a specific outcome.
  • Figure 2: Transformer backdoor components. The "Trigger Detector" checks the K-Cache for commands like "@@get", "@@set", or "@@str". Upon trigger activation, "Signal Integration" executes a "Get", "Set" or "Steer" attack, thereby modifying the output that passes through the Transformer.
  • Figure 3: Batch Isolation Checker evaluation results.

Theorems & Definitions (1)

  • Definition 1: Label Propagation Monoid