Backdoor in Seconds: Unlocking Vulnerabilities in Large Pre-trained Models via Model Editing

Q3: The setting for evaluation with defense mechanisms is vague.

and

Q4: Can authors provide more explanations regarding the evaluation with defense mechanisms like the detailed setups?

Thank you for your comments regarding the evaluation with defense mechanisms. Below, we provide additional clarifications and justifications for the selection of defenses.

1. Justification for Selected Defenses

   • Our evaluation focuses on input-level backdoor detection mechanisms because our method provides a fully trained model for inference. For most Large-pretrained models like CLIP, training data is unavailable, and retraining is computationally prohibitive, making inference-phase defenses the practical choice for most users.
   • We selected STRIP and Scale-Up as they represent two widely adopted approaches for input-level backdoor detection, and they are effective and efficient:
     • STRIP: A white-box defense mechanism that examines output entropy across perturbed inputs to identify backdoor behaviors. It assumes access to the model for direct analysis during inference.
     • Scale-Up: A state-of-the-art black-box detection mechanism that detects backdoors by analyzing input-output patterns without requiring access to the model's internal parameters.
   • These defenses were chosen to evaluate our method against both white-box and black-box settings, ensuring a robust evaluation under different attack scenarios.

2. Detailed Experimental Setups

   • STRIP: We applied random perturbations to inputs and measured the entropy of the model’s predictions. Models infected with backdoors typically exhibit lower entropy for inputs containing the trigger, making detection possible.
   • Scale-Up: We used Scale-Up’s procedures to analyze the outputs of the model under various inputs, identifying inconsistencies associated with backdoor triggers. This method provides a complementary evaluation to STRIP by working in a black-box setting.

Q5: Can the authors provide comparisons regarding the computational cost to conduct backdoor attacks with comparisons with previous methods?

A: Thank you for your question regarding the computational cost. We have shown the computational cost in the Ablation study in Table 4. Specifically, the time consumed by EDT is less than 0.01 hour. This efficiency can be attributed to the following reasons:

1. Training-Free Method: Unlike other methods that require extensive retraining or fine-tuning, EDT is a training-free approach. As a result, there is no additional training time associated with our method, and the training time is effectively zero.

2. Forward Process for Codebook Generation: While EDT does not involve training, it requires one forward pass through the model to extract the target embedding used as the value in the codebook entry. This forward process is lightweight and takes only a few seconds, contributing negligibly to the overall computation time.

These factors combined make EDT an extremely efficient method, with time consumption that is effectively negligible compared to methods requiring retraining.

We thank the reviewer for providing valuable feedback to improve our paper. We have addressed your hesitations below.

Q1: This paper merely discusses the possibility of the image-level backdoor attacks, leaving a blank for the text-level backdoor attacks.

A: Thank you for the insightful feedback. We agree that including a discussion on text-level backdoor attacks could enhance understanding of EDT's broader applicability. However, our current focus on image-level backdoors was driven by the pressing need for efficient, data-free attacks within visual models, particularly given the prevalence of large pre-trained architectures like Vision Transformers (ViT) and CLIP in this space.

• Focus on Visual Models: The majority of current work in backdoor attacks centers around visual models, with architectures like ViT and ResNet leading in deployment and vulnerability studies. Addressing these models directly enables us to compare EDT’s efficacy against established visual baselines.

• Comparability with Existing Baselines: To ensure fair benchmarking, we focused on the image domain, where existing baselines rely heavily on data poisoning techniques that target visual data in supervised learning contexts. These visual backdoor attacks typically involve label manipulation through one-hot encoded targets rather than text labels, facilitating direct comparison with EDT.

While our study emphasizes image-level attacks, we see potential for future extensions of EDT to text-based and multi-modal models, which would require adaptation of the embedding manipulation technique to accommodate the unique characteristics of token embeddings and text semantics. We appreciate this suggestion, as it highlights a valuable direction for further work.

Q2: More recent backdoor attack approaches [a, b] are not discussed and compared.

[a] BadCLIP: Trigger-Aware Prompt Learning for Backdoor Attacks on CLIP [b] IMTM: Invisible Multi-trigger Multimodal Backdoor Attack

A: Thanks for introducing new baselines. The IMTM[2] paper has not released their code, but we have included comparisons with BadCLIP [1] in our experiments to address this concern. The results are summarized in the table below:

From these results, we observe that our method achieves the best performance in terms of ASR (Attack Success Rate) and demonstrates superior performance on the $\Delta$CA (change in clean accuracy) metric, which are the key metrics for evaluating the success of a backdoor attack. Although our CA (clean accuracy) is slightly lower than BadClip, this is reasonable because BadClip is based on a prompt-tuning version of CLIP that is fine-tuned on the target training set. This additional fine-tuning improves clean accuracy, resulting in a higher CA than ours. However, during backdoor injection, BadClip’s CA still drops to some degree, whereas our method achieves almost 0% accuracy drop. This highlights our method's superior ability to maintain clean performance while achieving state-of-the-art backdoor success rates.

[1] Badclip: Trigger-aware prompt learning for backdoor attacks on clip. CVPR 2024

[2] IMTM: Invisible Multi-trigger Multimodal Backdoor Attack

Thanks very much for your feedback! We respond to each of your concerns below.

Q1: Although a new threat model (backdoor attack in large pre-trained models) is valid, the proposed method is not evidently an actual threat because there are assumptions that are not explicitly stated.

A: Thanks for the thoughtful question about the assumption we make. Here is a clear list of our assumptions regarding the adversary's capabilities, as outlined in Section 2.3 (Threat Model):

• Knowledge of Model Architecture: The attacker is assumed to know the structure of the victim model, following similar assumptions as prior works such as BadClip[1] and An Embarrassingly Simple Approach for Trojan Attack[2].

Beyond that, we reduce the attack ability to make the attack more practical and feasible. The assumptions are as follows:

• No Access to Training Data: The attacker does not have access to the original training dataset used to develop the large pre-trained model.

• No Retraining or Fine-Tuning: The attacker cannot re-train or fine-tune the pre-trained model, operating instead in a training-free and data-free setting.

These assumptions help to clarify the practicality of our threat model, highlighting the realistic conditions under which EDT can operate as a novel and feasible attack in scenarios where retraining or data access is limited.

[1] BadCLIP: Trigger-Aware Prompt Learning for Backdoor Attacks on CLIP, cvpr2024

[2] An Embarrassingly Simple Approach for Trojan Attack in Deep Neural Networks, kdd2020

Q2: This attack does not modify the model; the victim must use the model and backdoor logic hardcoded in the code. The paper assumes the victims do not read the code and use the backdoored model as it is to make the backdoor work.

A: Thank you for your comment. Here, we clarify how our method aligns with traditional backdoor attack principles and sharing the same assumption with prior works.

1. Traditional Backdoors typically involve modifying model parameters or injecting poisoned data during training. In these setups, the attacker has full control over the training process and introduces malicious data to embed hidden behaviors. "Once trained, the compromised model is delivered to end-users as-is" [1,2,3].

2. It’s important to note that we do NOT assume the victim will overlook the code. Instead, our method is designed to be justifiable, as the model maintains strong clean performance and, in some domain adapation cases, even shows improved functionality (see Table 2 in our paper). This added utility can serve as a rationale for model modifications, enhancing the model’s appeal to users. Furthermore, the codebook contains embeddings rather than explicit features, making the backdoor logic more difficult to interpret even if victims inspect the code. By doing that, our method maintains stealth and efficacy, particularly in the context of large pre-trained models.

[1] Learnable, Imperceptible and Robust Backdoor Attacks. ICCV 2021 [2] Backdoor Attacks with Arbitrary Target Class. NeurIPS 2022 [3] WaNet – Imperceptible Warping-based Backdoor Attack. ICLR 2021

Q5: The definition of the backdoor should be re-defined. The traditional backdoors embed a hidden functionality in the model. The backdoor cannot be seen from the model or the code. If you put some additional rules in the code, this will be clearly seen by a user. Will it still be called backdoors? Please explicitly compare the proposed approach to traditional backdoors in terms of detectability and stealthiness. Given differences, please discuss whether the proposed attack is still qualified as backdoor or not.

A: Thanks for the insightful question. We want to clarify that our method satisfy the Backdoor attack definition.

Backdoor Definition: Our method meets the standard definition of a backdoor attack, as it embeds hidden functionality in the model that remains stealthy during regular use and only activates under specific triggers. This aligns with traditional backdoor characteristics, where covert functionality is injected and the model’s behavior remains unchanged on clean inputs. A key element of a successful backdoor is its stealthiness, meaning the model must perform normally on clean data to avoid detection.

Some prior works achieve stealthiness by directly modifying model parameters [1,2,3,4,5], while others add new layers or modules [6,7]. Specifically, [6] introduce a meta-net within the CLIP encoder to dynamically generate soft prompt for CLIP classification. [7] injects a new deep nerual network beyond the original model.

Our approach is particularly well-suited for today’s era of large pre-trained models, where traditional data poisoning or parameter modification approaches may not be feasible due to the scale and accessibility constraints of these models. Instead, our method leverages lightweight embedding manipulation without retraining or access to the original training data.

Detectability and Stealthiness Comparison:

• Traditional Backdoors: Conventional backdoors typically involve modifying model parameters or injecting poisoned data during training. In these setups, the attacker has full control over the training process and introduces malicious data to embed hidden behaviors. Once trained, the compromised model is delivered to end-users as-is [1,2,3]. To ensure stealth, these attacks aim to maintain the model’s accuracy on clean data, concealing any malicious modifications within the model’s parameters [1,2,3,4,5].

• Our Approach: In our setting, we prioritize this stealthy behavior, which is crucial for large pre-trained models adopted widely and often without additional scrutiny. As discussed in Section 2.2 of our paper, Property 1 specifies that an effective backdoor attack on large pre-trained models should be stealthy and model-agnostic, preserve performance on clean samples, and ideally enhance performance in specific scenarios. Our approach goes beyond simply maintaining accuracy on clean data; it also improves the model's adaptability in certain tasks. Thus, the attacks can claim that they have improved the model to justify the model changes. This enhancement increases the model’s appeal to users, making the backdoor more likely to be adopted without suspicion. In contrast, traditional backdoor attacks can sometimes cause a slight performance drop even on clean inputs.

Conclusion: Our method, like traditional backdoors, maintains hidden functionality, retains clean accuracy, and enhances stealthiness. Given its compatibility with large pre-trained models, it is a robust and effective backdoor attack method, particularly relevant in the current landscape of large-scale, widely deployed models.

[1] Learnable, Imperceptible and Robust Backdoor Attacks. ICCV 2021

[2] Backdoor Attacks with Arbitrary Target Class. NeurIPS 2022

[3] WaNet – Imperceptible Warping-based Backdoor Attack. ICLR 2021

[4] Badnets: Evaluating Backdooring Attacks on Deep Neural Networks. 2019

[5] Blended: Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning , 2017

[6] BadCLIP: Trigger-Aware Prompt Learning for Backdoor Attacks on CLIP, CVPR 2024

[7] An Embarrassingly Simple Approach for Trojan Attack in Deep Neural Networks, KDD 2020

Q4: The paper does not propose the model editing technique. It is basically a specific version for GRACE. Therefore, contribution 2 seems a bit over-claimed. In addition, contributions 2, 3, and 4 are overlapped. Multiple triggers are a by-product of the GRACE editing technique using a codebook. I am not sure it stands as a new finding (contribution).

and

Q6: I recognize that the paper is a new application of GRACE for a backdoor functionality. However, it should be clearly distinguished between GRACE and this patch embedding manipulation with a codebook. Please provide a detailed comparison between the proposed approach and GRACE, highlighting the key differences and innovations in the proposed method.

A: Thank you for the concerning about the similarity betwenn our methods and GRACE. We would like to clarify that our method introduces a new model editing approach, distinct from the existing GRACE technique.

While both our method and GRACE are memory-based, memory usage is a general concept applied in various approaches, as seen in prior works [1,2,3]. Despite this shared concept, our techniques differ fundamentally w.r.t purpose, application, and methodology.

1. Objective Difference: GRACE focuses on model editing for language tasks, specifically making targeted corrections to model behavior, such as updating outdated knowledge (e.g., changing "Joe" to "Trump" as the new president). Our approach, by contrast, is designed for distribution adaptation, where the model is guided to align one distribution to another using a memory-based codebook. For example, as shown in Table 2 of our paper, our method effectively adapts real images to sketch images.

2. Technical Compatibility: Our method is versatile across various vision models, including ResNet, Vision Transformers, and CLIP. In contrast, GRACE operates within transformer blocks in language models. This technical difference allows our approach to support a broader range of model architectures and applications beyond language processing.

3. Embedding Manipulation Methodology: The technique we use for embedding manipulation is also different. In GRACE, target embeddings are calculated through fine-tuning within the embedding space:

   $$h = f^{-1}(y),$$

   where $f^{-1}$ denotes the reverse process in the language model.

   In our approach, we propose a novel, training-free forward method for adaptation, formulated as:

   $$h = argmax_k (sim(f_\theta(x), K))$$

   This approach enables efficient adaptation without the need for fine-tuning.

Consequently, multi-trigger attacks are not an inherent feature derived from GRACE; instead, by leveraging multiple keys and storing distribution samples, our method supports multi-trigger attacks as an independent capability. Specifically, the baseline methods fall short in the multi-trigger attack, which leads to lower attack success rate. But our method can maintain a high attack success rate, as shown in table 5 in the paper.

[1] BadCLIP: Trigger-Aware Prompt Learning for Backdoor Attacks on CLIP, CVPR 2024

[2] An Embarrassingly Simple Approach for Trojan Attack in Deep Neural Networks, KDD 2020

[3] Memory-based model editing at scale. ICML 2022.

Thank you for your detailed response. Let me focus on my main concern (i.e., threat model).

No Retraining or Fine-Tuning: The attacker cannot re-train or fine-tune the pre-trained model, operating instead in a training-free and data-free setting.

I think the main purpose of large models in real world applications is to be used as a base model so that it can be adapted to many down-stream tasks. The training data is for sure not available. The victims will still fine-tune the large model with his own data. I am not convinced this is a practical assumption.

It’s important to note that we do NOT assume the victim will overlook the code.

Your selling point is EDT model has a better performance of the stated down-stream task. Therefore, it is attractive to be used as it is. I think this is not practical. First, you do not know the the victim's down stream tasks. It is not possible to make the EDT model good at all down-stream tasks.

This type of backdoor in the code does not reveal any of model weakness. I do not understand why it is considered as a machine learning security threat. It is more like a social engineering attack that exploits the victim's weakness.

Thank you for your continued engagement and for sharing your concerns. Here, we would like to clarify some points:

Feedback 1: I think the main purpose of large models in real world applications is to be used as a base model so that it can be adapted to many down-stream tasks. The training data is for sure not available. The victims will still fine-tune the large model with his own data. I am not convinced this is a practical assumption.

A: Thank you for your thoughtful feedback. First, we want to explain the attacking process. Our attack targets a base pre-trained model, rather than a specific downstream task. While most existing backdoor attack methods require training data, our method does not. If "the training data is for sure not available," traditional attacks may fail to work. Additionally, we agree that victims may still fine-tune the large model using their own data. Below, we analyze different scenarios where large models are used and explain how our threat model applies to each case, highlighting cost and feasibility considerations.

From the comparison, we can observe that:

1. EDT’s Adaptability Across Scenarios:

   • EDT remains fully effective on No Fine-Tuning,Parameter-Efficient Fine-Tuning (PEFT), and Partial Fine-Tuning setting, covering the majority of use cases for large pre-trained models. Traditional backdoors, however, degrade significantly under partial fine-tuning or PEFT due to their reliance on specific model parameters that may be altered.

2. Practicality and Cost:

   • EDT’s training-free and data-free design makes it highly cost-efficient and practical for real-world scenarios where large pre-trained models are either deployed as-is or adapted with minimal modifications.

Thank you again for your valuable feedback. I hope this addresses your concerns and provides further clarity on EDT’s effectiveness across various real-world deployment scenarios.

[1] Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. Fine-pruning: Defending against backdooring attacks on deep neural networks. In RAID, 2018.

[2] Yige Li, Xixiang Lyu, Nodens Koren, Lingjuan Lyu, Bo Li, and Xingjun Ma. Neural attention distillation: Erasing backdoor triggers from deep neural networks. In ICLR, 2021.

Thank you for your feedback, we are glad for the opportunity to clarify some points.

Q1: and Q7: Clarify the missing important related works.

A: Thank you for providing the related works. We acknowledge the contributions of prior works [1,2]. However, we would like to clarify the key differences, the unique contributions of EDT.

Key differences:

1. Threat Model and Feasibility:

   • EDT operates in a data-free, training-free environment, making it highly feasible for large pre-trained models deployed on public platforms where attackers typically lack white-box access to training data or computational resources. Unlike [1], which requires iterative parameter modifications and full model retraining, and SRA, which needs access to architecture information and clean samples, EDT enables efficient backdoor injection without such dependencies.
   • Handcrafted Backdoor [1] depends on extensive training data access and budget, requiring white-box access and training resources to craft backdoors. This makes it effective mainly in scenarios where attackers can directly influence the training pipeline.
   • SRA [2] targets deployment-stage attacks on end-user devices where attackers have architecture access but not necessarily weight values. This gray-box setting allows SRA to modify weight parameters through subnet replacements to inject backdoors, making it practical on end-user devices but less suited for large-scale, pre-trained public models without specific architecture access.

2. Methodology and Attack Mechanism:

   • EDT leverages a lightweight codebook mechanism that operates within the embedding space, adapting embeddings based on specific triggers. This approach is data-free and training-free, bypassing the need for parameter adjustment or model retraining, and making EDT effective across multiple architectures (e.g., Vision Transformers, CLIP).
   • Handcrafted Backdoor uses a parameter-based method, where backdoor functionality is embedded by iteratively adjusting model parameters, requiring substantial access to model gradients and retraining. This parameter-level control provides high flexibility but is limited in large models with inaccessible training data.
   • SRA modifies model weights by replacing benign subnets with crafted backdoor subnets. This direct parameter modification is effective in gray-box, deployment-stage settings but is architecture-dependent, as subnet selection and replacement may require specific configurations for different model structures.

3. Scalability and Efficiency:

   • EDT offers high scalability across different architectures due to its data-free, training-free design. It achieves efficient, multi-trigger injections without computational retraining or parameter-based adjustments, making it adaptable to various architectures and suitable for real-time applications.
   • Handcrafted Backdoor requires extensive training data and computational resources, which limits scalability for large models where parameter adjustment and training resources are constrained.
   • SRA, while effective in gray-box settings, is architecture-dependent and may involve additional steps for subnet replacement across different models. This method is efficient for deployment-stage attacks on end-user devices but less suited to large, cloud-based pre-trained models.

In sum, although prior works are modifying the model for backdoor attacks, they require extensive training data and high computational costs, which are fundamentally different from the threat model proposed in our work. We have also included these related works in the Related Work section for a more comprehensive discussion.

[1] Handcrafted Backdoors in Deep Neural Networks. NeurIPS 2022.

[2] Towards Practical Deployment-Stage Backdoor Attack on Deep Neural Networks. CVPR 2022.

Q3: Evaluation against different backdoor defenses. Two defenses have been discussed in the paper. But, still, the selection of the defenses needs to be justified. In particular, why were these two defenses selected? Will state-of-the-art backdoor defenses, e.g., [d], be effective against the proposed backdoor attack? Another concern is that defenses may easily spot the introduction of the codebook. It would be great if the authors could explain how to conceal the new block to make it less suspicious to the users. One potential possibility is that when the trained models are translated into some executable inference modules, the codebook will be harder to figure out. Please clarify.

and

Q9: Clarify the evaluation against defenses and potential mitigations.

A: Thank you for your comments regarding the evaluation with defense mechanisms. Below, we provide additional clarifications and justifications for the selection of defenses and discuss how the codebook can be concealed to reduce suspicion.

1. Justification for Selected Defenses

   • Our evaluation focuses on input-level backdoor detection mechanisms because our method provides a fully trained model for inference. For most Large-pretrained models like CLIP, training data is unavailable, and retraining is computationally prohibitive, making inference-phase defenses the practical choice for most users.
   • We selected STRIP and Scale-Up as they represent two widely adopted approaches for input-level backdoor detection, and they are effective and efficient:
     • STRIP: A white-box defense mechanism that examines output entropy across perturbed inputs to identify backdoor behaviors. It assumes access to the model for direct analysis during inference.
     • Scale-Up: A state-of-the-art black-box detection mechanism that detects backdoors by analyzing input-output patterns without requiring access to the model's internal parameters.
   • These defenses were chosen to evaluate our method against both white-box and black-box settings, ensuring a robust evaluation under different attack scenarios.

2. Detailed Experimental Setups

   • STRIP: We applied random perturbations to inputs and measured the entropy of the model’s predictions. Models infected with backdoors typically exhibit lower entropy for inputs containing the trigger, making detection possible.
   • Scale-Up: We used Scale-Up’s procedures to analyze the outputs of the model under various inputs, identifying inconsistencies associated with backdoor triggers. This method provides a complementary evaluation to STRIP by working in a black-box setting.

3. Stealthiness and Concealment of the Codebook

   • Domain Adaptation Improvements: The codebook improves domain adaptation, enabling better generalization to out-of-distribution data. This added utility makes it less suspicious to users, as the codebook appears to be a legitimate enhancement to the model’s performance.
   • Difficulty in Identifying Entries: It is inherently challenging to determine whether a codebook entry is malicious or benign, much like identifying whether a specific neuron in a neural network is "good" or "bad." This ambiguity adds another layer of stealth to the backdoor.

Q4: In Table 4, the time of EDT is 0.00. Does it mean that the time consumed is less than 0.01?

A: Thank you for your question regarding the injection time in Table 4. The "0.00" in the table indicates that the time consumed by EDT is less than 0.01 hour. This efficiency can be attributed to the following reasons:

1. Training-Free Method: Unlike other methods that require extensive retraining or fine-tuning, EDT is a training-free approach. As a result, there is no additional training time associated with our method, and the training time is effectively zero.

2. Forward Process for Codebook Generation: While EDT does not involve training, it requires one forward pass through the model to extract the target embedding used as the value in the codebook entry. This forward process is lightweight and takes only a few seconds, contributing negligibly to the overall computation time.

These factors combined make EDT an extremely efficient method, with time consumption that is effectively negligible compared to methods requiring retraining.

Q5: The authors claimed that training BadNets exceeds the attack budget. If possible, the exact budget and justification need to be clarified.

A: Thank you for your question regarding the attack budget for training BadNets. To clarify, training large models like Vision Transformers (ViT) from scratch requires substantial computational resources that exceed typical attack budgets.

In the original Vision Transformer paper [1,2], ViT models were trained on the ImageNet dataset for 300 epochs using the Adam optimizer with a learning rate of 0.003 and a batch size of 4096. This training was conducted on 8 TPUv3 cores over approximately 3 days, as outlined in Section 4.1 of Dosovitskiy et al.

Reproducing this retraining on an NVIDIA A100 GPU would take an estimated 30 days, as the BadNets method requires poisoning the training data and retraining the model. Based on current AWS pricing, using a single A100 GPU costs around 4.10 dollars per hour. For 30 days (or 720 hours), this results in an estimated cost of approximately 2,952 dollars. This expense, combined with the extended training time, significantly exceeds the computational and financial constraints typical of an adversarial attack budget.

This limitation illustrates why retraining or fine-tuning a model with poisoned data, as in the BadNets approach, is infeasible in our scenario. Instead, our method leverages an efficient, training-free approach to introduce backdoors, making it much more practical and cost-effective.

However, to address this limitation and provide a comparison, we adopt a pre-trained ViT model and retrain only the final classifier layer for the BadNets baseline. This approach significantly reduces the training cost and makes the comparison feasible. Notably, this setup loosens the requirements for BadNets and other retraining-based attack models, making them less computationally demanding for evaluation purposes.

From these results, our method still outperforms the baseline method. This distinction emphasizes the efficiency and practicality of our proposed training-free approach, which eliminates the need for any retraining or extensive computational resources while maintaining high performance and stealth.

[1] Dosovitskiy, Alexey. "An image is worth 16x16 words: Transformers for image recognition at scale." arXiv 2020.

[2] Beyer, Lucas, Xiaohua Zhai, and Alexander Kolesnikov. "Better plain vit baselines for imagenet-1k." arXiv 2022.

Q6: The zero-shot classification would also be interesting to be evaluated.

A: Thank you for pointing this out. To improve clarity, we have revised the Table 1 in the paper to explicitly indicate that the clean accuracy includes zero-shot classification results, ensuring this information is more transparent and accessible. Thank you for your suggestion.

Thank you very much for your feedback, we're glad for the chance to clarify some points.

Q1: EDT's reliance on a codebook limits its applicability to large pre-trained models that do not have a codebook.

A: Thank you for raising this concern. To clarify, our method is indeed applicable to large pre-trained models that do not originally include a codebook. For instance, in our experiments, we successfully applied our approach to models like ViT and CLIP, which do not have an inherent codebook. Our method enables the integration of an external codebook into these models, serving two purposes: enhancing the model’s performance on specific tasks and introducing backdoor functionality simultaneously. This demonstrates that a codebook can be flexibly added to existing large pre-trained models, backdoor attacking it without modifying the models’ core parameters.

Q2: Lack of experiments for multi-target backdoor attacks, which would further validate EDT's versatility.

A: Thank you for highlighting the importance of demonstrating multi-target backdoor attacks. To address this, we provide experimental results in Table 5 of our paper that showcase EDT’s capability to support multi-target backdoor attacks. In these experiments, we introduce three distinct triggers, each corresponding to a separate target outcome across various victim models (ViT, CLIP-ResNet50, and CLIP-ViT32). The results demonstrate a 100% attack success rate across all models, with no drop in benign accuracy ($\Delta$CA), underscoring EDT’s effectiveness and versatility in handling multiple triggers and targets within a single framework.

This multi-target capability highlights EDT’s adaptability, enabling the injection of multiple backdoors with minimal impact on the model’s clean performance. These results validate its robustness and practicality in diverse attack scenarios.

Q3: Table 1 is missing the results of Fine-tune Baseline on CLIP. It's unclear why multi-modal dataset is intractable to poison.

Thank you for this insightful concern. We first want to clarify that fine-tuning a multi-modal model like CLIP presents unique challenges, as the model integrates both visual and textual representations, making conventional data poisoning techniques complex and less effective.

In single-modality models, poisoning typically involves manipulating labels with one-hot encoded targets. However, in multi-modal models like CLIP, poisoning only one modality (e.g., images) is insufficient because the model learns associations between both image and text representations. For instance, to embed a backdoor effectively, both the image and its corresponding captions would need to be poisoned. This is challenging because captions can vary widely in how they describe the target label. Obtaining and aligning these caption variations with poisoned images is intractable, as it demands extensive and precise data pairing.

To further address your concern, we include a baseline comparison with BadClip [1], as shown in the table below:

From these results, we observe that our method achieves the best performance in terms of ASR (Attack Success Rate) and demonstrates superior performance on the $\Delta$CA (change in clean accuracy) metric, which are the key metrics for evaluating the success of a backdoor attack. Although our CA (clean accuracy) is slightly lower than BadClip, this is reasonable because BadClip is based on a prompt-tuning version of CLIP that is fine-tuned on the target training set. This additional fine-tuning improves clean accuracy, resulting in a higher CA than ours.

However, during backdoor injection, BadClip’s CA still drops to some degree, whereas our method achieves almost 0% accuracy drop. This highlights our method's superior ability to maintain clean performance while achieving state-of-the-art backdoor success rates.

[1] Badclip: Trigger-aware prompt learning for backdoor attacks on clip. CVPR 2024