CatBack: Universal Backdoor Attacks on Tabular Data via Categorical Encoding

Backdoor attacks in machine learning have drawn significant attention for their potential to compromise models stealthily, yet most research has focused on homogeneous data such as images. In this work, we propose a novel backdoor attack on tabular data, which is particularly challenging due to the presence of both numerical and categorical features. Our key idea is a novel technique to convert categorical values into floating-point representations. This approach preserves enough information to maintain clean-model accuracy compared to traditional methods like one-hot or ordinal encoding. By doing this, we create a gradient-based universal perturbation that applies to all features, including categorical ones. We evaluate our method on five datasets and four popular models. Our results show up to a 100% attack success rate in both white-box and black-box settings (including real-world applications like Vertex AI), revealing a severe vulnerability for tabular data. Our method is shown to surpass the previous works like Tabdoor in terms of performance, while remaining stealthy against state-of-the-art defense mechanisms. We evaluate our attack against Spectral Signatures, Neural Cleanse, Beatrix, and Fine-Pruning, all of which fail to defend successfully against it. We also verify that our attack successfully bypasses popular outlier detection mechanisms.

Key Contributions

• Novel categorical-to-floating-point encoding technique that enables gradient-based universal perturbation triggers spanning both numerical and categorical tabular features
• Universal backdoor attack (CatBack) achieving up to 100% attack success rate in white-box and black-box settings, including real-world Vertex AI deployment
• Comprehensive evasion evaluation against Spectral Signatures, Neural Cleanse, Beatrix, Fine-Pruning, and outlier detection mechanisms — all of which fail to detect the attack

🛡️ Threat Analysis

Details

Similar Papers