Table of Contents
Fetching ...

Invisible Clean-Label Backdoor Attacks for Generative Data Augmentation

Ting Xiang, Jinhui Zhao, Changjian Chen, Zhuo Tang

TL;DR

This paper addresses the security risks of generative data augmentation by showing that existing pixel-level clean-label backdoors are ineffective on generated data due to high adversarial perturbation sensitivity. It introduces InvLBA, an invisible backdoor that injects latent-space triggers into the diffusion process with end-to-end training, and provides theoretical guarantees on clean and poisoned generalization under the latent-trigger design. Empirical results across six datasets reveal substantial ASR improvements (average gains around $46.4\%$) with negligible clean accuracy loss and robustness to SOTA defenses and human inspection. The work highlights a concrete vulnerability in GDA pipelines and offers a principled latent-space attack framework with practical and theoretical foundations, suggesting directions for defense research and safer deployment of generative augmentation.

Abstract

With the rapid advancement of image generative models, generative data augmentation has become an effective way to enrich training images, especially when only small-scale datasets are available. At the same time, in practical applications, generative data augmentation can be vulnerable to clean-label backdoor attacks, which aim to bypass human inspection. However, based on theoretical analysis and preliminary experiments, we observe that directly applying existing pixel-level clean-label backdoor attack methods (e.g., COMBAT) to generated images results in low attack success rates. This motivates us to move beyond pixel-level triggers and focus instead on the latent feature level. To this end, we propose InvLBA, an invisible clean-label backdoor attack method for generative data augmentation by latent perturbation. We theoretically prove that the generalization of the clean accuracy and attack success rates of InvLBA can be guaranteed. Experiments on multiple datasets show that our method improves the attack success rate by 46.43% on average, with almost no reduction in clean accuracy and high robustness against SOTA defense methods.

Invisible Clean-Label Backdoor Attacks for Generative Data Augmentation

TL;DR

This paper addresses the security risks of generative data augmentation by showing that existing pixel-level clean-label backdoors are ineffective on generated data due to high adversarial perturbation sensitivity. It introduces InvLBA, an invisible backdoor that injects latent-space triggers into the diffusion process with end-to-end training, and provides theoretical guarantees on clean and poisoned generalization under the latent-trigger design. Empirical results across six datasets reveal substantial ASR improvements (average gains around ) with negligible clean accuracy loss and robustness to SOTA defenses and human inspection. The work highlights a concrete vulnerability in GDA pipelines and offers a principled latent-space attack framework with practical and theoretical foundations, suggesting directions for defense research and safer deployment of generative augmentation.

Abstract

With the rapid advancement of image generative models, generative data augmentation has become an effective way to enrich training images, especially when only small-scale datasets are available. At the same time, in practical applications, generative data augmentation can be vulnerable to clean-label backdoor attacks, which aim to bypass human inspection. However, based on theoretical analysis and preliminary experiments, we observe that directly applying existing pixel-level clean-label backdoor attack methods (e.g., COMBAT) to generated images results in low attack success rates. This motivates us to move beyond pixel-level triggers and focus instead on the latent feature level. To this end, we propose InvLBA, an invisible clean-label backdoor attack method for generative data augmentation by latent perturbation. We theoretically prove that the generalization of the clean accuracy and attack success rates of InvLBA can be guaranteed. Experiments on multiple datasets show that our method improves the attack success rate by 46.43% on average, with almost no reduction in clean accuracy and high robustness against SOTA defense methods.
Paper Structure (24 sections, 3 theorems, 23 equations, 4 figures, 6 tables, 1 algorithm)

This paper contains 24 sections, 3 theorems, 23 equations, 4 figures, 6 tables, 1 algorithm.

Key Result

Theorem 4.1

yu2024generalization Let $N = |\mathbf{D}_p|$. For any victim model $f$ and clean model $g \in \mathcal{H}_{W,D}$, if the trigger $P(x)$ meets the following three conditions for some $\epsilon > 0$, $\tau > 0$, $\lambda \ge 1$: where $f_c$ and $g_c$ denote the predicted probabilities of input x for class c. Then, with probability at least $1 - \delta - O(1/N)$, the poison generalization error hol

Figures (4)

  • Figure 1: The framework of InvLBA. InvLBA consists of two stages: (a) Trigger training, which learns a fixed latent-space trigger in SD guided by a surrogate classifier; (b) Generation with poison, which injects the learned trigger with probability $\alpha$ to generate poisoned data.
  • Figure 2: InvLBA against Neural Cleanse.
  • Figure 3: Exemplar clean images and poisoned images. Each row contains four clean images and one poisoned image. The correct answers are provided in Appendix \ref{['appendix:answer']}.
  • Figure 4: Ground-truth clean images and corresponding poisoned images. The poisoned image in each row is highlighted with a red border.

Theorems & Definitions (5)

  • Theorem 4.1
  • Theorem 5.1
  • Remark 5.2: How $\xi$ could be close to zero?
  • Remark 5.3: How $\eta$ could be close to zero?
  • Theorem 5.1