ML Security PapersA Set of Generalized Components to Achieve Effective Poison-only Clean-label Backdoor Attacks with Collaborative Sample Selection and Triggers
Zhixiao Wu , Yao Lu , Jie Wen , Hao Sun , Qi Zhou , Guangming Lu
Published on arXiv
2509.19947
Model Poisoning
OWASP ML Top 10 — ML10
Data Poisoning Attack
OWASP ML Top 10 — ML02
Key Finding
Three modular components jointly improve both attack success rate and stealthiness of poison-only clean-label backdoor attacks and generalize across diverse existing PCBA methods
GeneralComponents (A, B, C)
Novel technique introduced
Poison-only Clean-label Backdoor Attacks aim to covertly inject attacker-desired behavior into DNNs by merely poisoning the dataset without changing the labels. To effectively implant a backdoor, multiple \textbf{triggers} are proposed for various attack requirements of Attack Success Rate (ASR) and stealthiness. Additionally, sample selection enhances clean-label backdoor attacks' ASR by meticulously selecting ``hard'' samples instead of random samples to poison. Current methods 1) usually handle the sample selection and triggers in isolation, leading to severely limited improvements on both ASR and stealthiness. Consequently, attacks exhibit unsatisfactory performance on evaluation metrics when converted to PCBAs via a mere stacking of methods. Therefore, we seek to explore the bidirectional collaborative relations between the sample selection and triggers to address the above dilemma. 2) Since the strong specificity within triggers, the simple combination of sample selection and triggers fails to substantially enhance both evaluation metrics, with generalization preserved among various attacks. Therefore, we seek to propose a set of components to significantly improve both stealthiness and ASR based on the commonalities of attacks. Specifically, Component A ascertains two critical selection factors, and then makes them an appropriate combination based on the trigger scale to select more reasonable ``hard'' samples for improving ASR. Component B is proposed to select samples with similarities to relevant trigger implanted samples to promote stealthiness. Component C reassigns trigger poisoning intensity on RGB colors through distinct sensitivity of the human visual system to RGB for higher ASR, with stealthiness ensured by sample selection, including Component B. Furthermore, all components can be strategically integrated into diverse PCBAs.
Key Contributions
- Component A: combines Category Diversity with Forgetting Event for trigger-scale-guided 'hard' sample selection to maximize ASR
- Component B: selects samples visually similar to trigger-implanted samples to exploit the gap between human and computer vision, improving stealthiness
- Component C: reassigns trigger poisoning intensity across RGB channels using human visual sensitivity differences to boost ASR while maintaining stealthiness
🛡️ Threat Analysis
The attack vector is exclusively training data poisoning without label modification; Components A and B directly optimize which samples to poison, making data poisoning strategy central to the contribution.
Core contribution is improving backdoor/trojan injection into DNNs via clean-label poison-only attacks — triggers cause targeted misbehavior at inference while the model behaves normally on benign inputs.