Invisible Clean-Label Backdoor Attacks for Generative Data Augmentation
Ting Xiang, Jinhui Zhao, Changjian Chen, Zhuo Tang
TL;DR
This paper addresses the security risks of generative data augmentation by showing that existing pixel-level clean-label backdoors are ineffective on generated data due to high adversarial perturbation sensitivity. It introduces InvLBA, an invisible backdoor that injects latent-space triggers into the diffusion process with end-to-end training, and provides theoretical guarantees on clean and poisoned generalization under the latent-trigger design. Empirical results across six datasets reveal substantial ASR improvements (average gains around $46.4\%$) with negligible clean accuracy loss and robustness to SOTA defenses and human inspection. The work highlights a concrete vulnerability in GDA pipelines and offers a principled latent-space attack framework with practical and theoretical foundations, suggesting directions for defense research and safer deployment of generative augmentation.
Abstract
With the rapid advancement of image generative models, generative data augmentation has become an effective way to enrich training images, especially when only small-scale datasets are available. At the same time, in practical applications, generative data augmentation can be vulnerable to clean-label backdoor attacks, which aim to bypass human inspection. However, based on theoretical analysis and preliminary experiments, we observe that directly applying existing pixel-level clean-label backdoor attack methods (e.g., COMBAT) to generated images results in low attack success rates. This motivates us to move beyond pixel-level triggers and focus instead on the latent feature level. To this end, we propose InvLBA, an invisible clean-label backdoor attack method for generative data augmentation by latent perturbation. We theoretically prove that the generalization of the clean accuracy and attack success rates of InvLBA can be guaranteed. Experiments on multiple datasets show that our method improves the attack success rate by 46.43% on average, with almost no reduction in clean accuracy and high robustness against SOTA defense methods.
