Leveraging CVAE Encoding for Backdoor Attacks in Few-Shot Learning With Prototypical Networks

Download PDF
Open Webpage

Sana, Qiao Yan, Sizhe Liang, Aman Ullah

Published: 2026, Last Modified: 03 May 2026IEEE Trans. Dependable Secur. Comput. 2026EveryoneRevisionsBibTeXCC BY-SA 4.0
Abstract: Few-shot learning (FSL) has demonstrated tremendous potential when challenged with limited training data, but the assessment of its vulnerability to backdoor attacks is still at an early stage. However, recent research revealed this deep learning framework is susceptible to backdoor attack. Existing backdoor techniques attacked FSL by manipulating triggers in the feature space, resulting in overfitting to specific perturbations, poor tolerance to real-world variability, and easy detection. Limited training samples expose these triggers or dirty labels. In this paper, we propose a novel technique that leverages latent embedding to successfully implant backdoor attack on Prototypical Network–based few-shot classification model (prototype-based FSL). Our attack is specifically designed to target the prototype-based FSL due to its effectiveness in constructing fixed class prototypes from limited examples, making it uniquely susceptible to subtle prototype shifts. Since prototypical networks do not require backpropagation on testing samples, there’s less chance to detect latent backdoors. The latent mechanism serve as a crucial enhancement to traditional perturbation-based backdoors. For this purpose, our proposed approach utilizes conditional variational autoencoder (CVAE) along with latent attention mechanism and regularization terms to seamlessly encode backdoor trigger within the original image feature space, offering a robust and reconstructed poisoned representation while preserving data integrity. In this setup, the reconstructed poisoned subset by CVAE, combined with clean images, serves as the support set for computing class prototypes. Besides, our strategy enhances generalization by focusing on high-level abstractions and aligns well with the objectives of prototype-based FSL. The experiment results reveal that our poisoning technique achieves high Attack Success Rate (ASR) in FSL challenges while ensuring benign accuracy (BA) and preserving stealthiness. Consequently, this approach outperforms earlier techniques in terms of efficiency and performance, leading to enhanced robustness against detection while assuring that the trigger remains smoothly integrated into the data distribution. This study demonstrates that latent backdoor attacks pose a persistent and significant threat to prototype-based FSL, underscoring an urgent need for robust security measures to protect against these vulnerabilities.