Search papers, labs, and topics across Lattice.
This paper introduces Sparse Backdoor, a supply chain attack that injects provably undetectable backdoors into pre-trained image classifiers by adding structured sparse perturbations along random directions in fully connected layers. The key to undetectability is an isotropic Gaussian dither, which creates a clean reference distribution functionally equivalent to the original classifier under a margin condition. The authors prove that detecting the backdoor is as hard as Sparse PCA detection, offering white-box undetectability guarantees against probabilistic polynomial-time distinguishers.
Provably undetectable backdoors can be injected into pre-trained image classifiers, even with white-box access, by exploiting sparse perturbations and Gaussian dithering.
We present Sparse Backdoor, a supply-chain attack that plants a \emph{provably undetectable} backdoor in pre-trained image classifiers, including convolutional networks and Vision Transformers. The attack injects a structured sparse perturbation along a randomly chosen direction into a small subset of columns at each fully connected layer, propagating a trigger signal to an adversary-chosen target class, and masks the perturbation with an independent isotropic Gaussian dither. The dither serves a single technical purpose: it induces a clean reference distribution anchored at the pre-trained weights, against which undetectability can be formalized. Under a mild margin condition on the pre-trained classifier, we show that the dithered reference is functionally equivalent to the original classifier. We prove that distinguishing the backdoor-injected model from this reference is at least as hard as Sparse PCA detection, which is computationally infeasible under standard hardness assumptions. The guarantee holds against any probabilistic polynomial-time distinguisher with white-box access to the parameters.
