Geometry-Aware Backdoor Attacks: Leveraging Curvature in Hyperbolic Embeddings
Ali Baheri
TL;DR
This work reveals a geometry-specific vulnerability in hyperbolic embeddings where triggers near the boundary produce large hyperbolic shifts while remaining stealthy to Euclidean detectors. It introduces a geometry-adaptive backdoor framework using a trigger $\tau(x)=\exp_x( s(x) P_{0\to x}(\delta) )$ with adaptive scaling and sparsity, along with a poisoning strategy and a multi-objective training objective that enforces geometric consistency. Theoretical results bound detectability and demonstrate geodesic amplification near the boundary, and a radial-defense trade-off shows that inward defenses degrade clean accuracy. Empirically, curvature-aware triggers achieve high ASR and reduced detection rates, especially near the boundary, across tasks, underscoring a practical security risk and informing the design of geometry-aware defenses.
Abstract
Non-Euclidean foundation models increasingly place representations in curved spaces such as hyperbolic geometry. We show that this geometry creates a boundary-driven asymmetry that backdoor triggers can exploit. Near the boundary, small input changes appear subtle to standard input-space detectors but produce disproportionately large shifts in the model's representation space. Our analysis formalizes this effect and also reveals a limitation for defenses: methods that act by pulling points inward along the radius can suppress such triggers, but only by sacrificing useful model sensitivity in that same direction. Building on these insights, we propose a simple geometry-adaptive trigger and evaluate it across tasks and architectures. Empirically, attack success increases toward the boundary, whereas conventional detectors weaken, mirroring the theoretical trends. Together, these results surface a geometry-specific vulnerability in non-Euclidean models and offer analysis-backed guidance for designing and understanding the limits of defenses.