Arcueid: Multi-trigger Cloud Shaping for Unified Backdoor Attack Paradigms

Zhou Feng; Jiahao Chen; Chunyi Zhou; Tianyu Du; Yuwen Pu; Jianhai Chen; Shouling Ji

Arcueid: Multi-trigger Cloud Shaping for Unified Backdoor Attack Paradigms

Zhou Feng, Jiahao Chen, Chunyi Zhou, Tianyu Du, Yuwen Pu, Jianhai Chen, Shouling Ji

01 Sept 2025 (modified: 11 Feb 2026)Submitted to ICLR 2026EveryoneRevisionsBibTeXCC BY 4.0

Keywords: Backdoor Attack, Data Poisoning, Adversarial Machine Learning, AI Security

TL;DR: We propose Arcueid, a theoretically grounded multi-trigger-driven backdoor attack framework that unifies M→M, M→N, and M→1 paradigms under realistic constraints.

Abstract: Machine learning have driven breakthroughs in recognition, detection, and generation, yet their increasing ubiquity also exposes them to backdoor attack hazards, threatening the security of real-world AI deployments. Existing backdoor methods, however, remain fragile in adaptive settings for **rigid dependency on a static trigger**, **narrow scope in fixed one-to-one mappings**, or **unrealistic assumptions for levels of access**, thereby failing to scale to dynamic, large-class scenarios under realistic constraints. Therefore, we present ***Arcueid***, a theoretically grounded multi-trigger backdoor framework that **achieves scalable and robust attacks across $M \mapsto M$, $M \mapsto N$, and $M \mapsto 1$ paradigms**. It operates under restrictive settings, **requiring only black-box knowledge and extremely low poisoning budgets**. At its core lies a *Joint Cloud Shaping Multi-trigger Optimization* strategy that simultaneously compacts trigger-induced feature clouds and enforces inter-cloud separation, ensuring stable, non-interfering, and target-consistent decision regions, while decoupling trigger generation from label mapping to enable dynamic reconfiguration of targets and robust transferability across models and datasets. Extensive experiments on multiple datasets and five CNN/transformer architectures show that ***Arcueid*** attains near-perfect average ASR (**>97\%**) across targets in each paradigm with negligible clean accuracy drop (**<5%**) even at poisoning rates of **0.1%**, significantly outperforming SOTA baselines. Moreover, ***Arcueid*** consistently withstands representative pre-/mid-/post-training defenses, exhibits strong stealth with indistinguishable perceptual shifts, and sustains steady resilience across comprehensive ablation studies.

Supplementary Material: zip

Primary Area: alignment, fairness, safety, privacy, and societal considerations

Submission Number: 559

Loading