Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Bloodroot: When Watermarking Turns Poisonous For Stealthy Backdoor

Kuan-Yu Chen, Yi-Cheng Lin, Jeng-Lin Li, Jian-Jiun Ding

Abstract

Backdoor data poisoning is a crucial technique for ownership protection and defending against malicious attacks. Embedding hidden triggers in training data can manipulate model outputs, enabling provenance verification, and deterring unauthorized use. However, current audio backdoor methods are suboptimal, as poisoned audio often exhibits degraded perceptual quality, which is noticeable to human listeners. This work explores the intrinsic stealthiness and effectiveness of audio watermarking in achieving successful poisoning. We propose a novel Watermark-as-Trigger concept, integrated into the Bloodroot backdoor framework via adversarial LoRA fine-tuning, which enhances perceptual quality while achieving a much higher trigger success rate and clean-sample accuracy. Experiments on speech recognition (SR) and speaker identification (SID) datasets show that watermark-based poisoning remains effective under acoustic filtering and model pruning. The proposed Bloodroot backdoor framework not only secures data-to-model ownership, but also well reveals the risk of adversarial misuse.

Bloodroot: When Watermarking Turns Poisonous For Stealthy Backdoor

Abstract

Backdoor data poisoning is a crucial technique for ownership protection and defending against malicious attacks. Embedding hidden triggers in training data can manipulate model outputs, enabling provenance verification, and deterring unauthorized use. However, current audio backdoor methods are suboptimal, as poisoned audio often exhibits degraded perceptual quality, which is noticeable to human listeners. This work explores the intrinsic stealthiness and effectiveness of audio watermarking in achieving successful poisoning. We propose a novel Watermark-as-Trigger concept, integrated into the Bloodroot backdoor framework via adversarial LoRA fine-tuning, which enhances perceptual quality while achieving a much higher trigger success rate and clean-sample accuracy. Experiments on speech recognition (SR) and speaker identification (SID) datasets show that watermark-based poisoning remains effective under acoustic filtering and model pruning. The proposed Bloodroot backdoor framework not only secures data-to-model ownership, but also well reveals the risk of adversarial misuse.

Paper Structure

This paper contains 10 sections, 5 equations, 3 figures, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Method
  3. Poisoning Setup and Pipeline
  4. Audio Watermarking and Poisoning Properties
  5. Watermark-to-Trigger Poison Generation
  6. Watermark-Based Trigger Optimization
  7. Experiments
  8. Setting
  9. Result
  10. Conclusion

Figures (3)

  • Figure 1: Overview of the backdoor attack and Bloodroot framework. (a) Training: A victim model is trained on a dataset containing a small fraction of poisoned samples. (b) Inference: Triggered inputs activate the backdoor (targeted misclassification), while clean inputs are processed normally. (c) Bloodroot: The base attack uses a pre-trained AudioSeal generator; "x5" denotes a poison level of $\alpha=5$ to scale the trigger perturbation. (d) Bloodroot-FT: LoRA fine-tuning refines the generator to optimize the trade-off between robustness and imperceptibility.
  • Figure 2: Ablation study about the impact of the poisoning rate on SC-10. (a) Benign accuracy (BA) and (b) attack success rate (ASR). (c)–(d) PESQ–ASR trade-offs, illustrating how the poisoning rate affects both attack success and perceptual quality.
  • Figure 3: ASR under a pruning defenseanwar2017structured across pruning rates.