Undetectable Backdoors in Model Parameters: Hiding Sparse Secrets in High Dimensions
For ML security practitioners, this attack demonstrates that backdoors can be planted in model parameters with formal undetectability guarantees, posing a severe supply-chain risk.
Sparse Backdoor injects provably undetectable backdoors into pre-trained image classifiers by adding a structured sparse perturbation masked with Gaussian dither, making detection computationally infeasible under standard hardness assumptions.
We present Sparse Backdoor, a supply-chain attack that plants a \emph{provably undetectable} backdoor in pre-trained image classifiers, including convolutional networks and Vision Transformers. The attack injects a structured sparse perturbation along a randomly chosen direction into a small subset of columns at each fully connected layer, propagating a trigger signal to an adversary-chosen target class, and masks the perturbation with an independent isotropic Gaussian dither. The dither serves a single technical purpose: it induces a clean reference distribution anchored at the pre-trained weights, against which undetectability can be formalized. Under a mild margin condition on the pre-trained classifier, we show that the dithered reference is functionally equivalent to the original classifier. We prove that distinguishing the backdoor-injected model from this reference is at least as hard as Sparse PCA detection, which is computationally infeasible under standard hardness assumptions. The guarantee holds against any probabilistic polynomial-time distinguisher with white-box access to the parameters.