
TLDR
- What: BADBONE is a bi-level optimization backdoor attack targeting frozen vision backbones in Visual Prompt Learning (VPL) using a highly stealthy "prompt-and-trigger co-activation" mechanism.
- Who's at risk: Downstream visual recognition applications (e.g., autonomous driving, medical imaging, defect detection platforms) deploying VPL on pre-trained backbones sourced from third-party hubs (like Hugging Face or model registries).
- Key number: Achieves an Attack Success Rate (ASR) of up to 98.92% on CIFAR-10 while bypassing state-of-the-art defenses like Neural Cleanse (with an Anomaly Index of just 1.03 versus the 2.0 detection threshold).
Visual prompt learning (VPL) has emerged as a highly efficient paradigm for adapting large pre-trained foundation models—such as ResNet, ViT, and CLIP—to specialized downstream tasks. Platforms like Landing AI and Amazon visual services leverage VPL because it freezes the expensive backbone parameters and only optimizes a lightweight, pixel-space "prompt" (such as a padding frame). However, Yang et al. (2026) expose a severe security vulnerability in this pipeline: an attacker can distribute a compromised backbone model containing a silent backdoor that remains dormant during standard pre-training and downstream prompt tuning, only activating when a specific trigger is presented.
Threat Model
The attack scenario assumes a downstream user downloading a pre-trained backbone model from an untrusted third-party provider.
| Attacker | Malicious model provider with white-box access to the pre-trained backbone parameters during the poisoning phase. |
| Victim | ML engineers deploying downstream visual applications on frozen, third-party backbones via clean visual prompt tuning. |
| Goal | Achieve targeted misclassification (Targeted ASR) or random misclassification (Untargeted MR) when the learned prompt and trigger are simultaneously present, while maintaining high clean accuracy on pre-training and target tasks. |
| Budget | Access to a proxy "shadow" dataset with a similar distribution to the target task, and a small subset of the pre-training dataset (e.g., 50 images per class of ImageNet-1k, totaling 50k images). |
Background & Problem Setup
In VPL, the backbone model is completely frozen. The downstream user trains a task-specific prompt to shift the input data into the backbone’s pre-trained distribution.
Unlike prompt-level backdoor attacks (such as Du et al., 2022) where the attacker must poison the prompt itself, BADBONE injects the payload directly into the backbone. This means even if the victim trains their own visual prompt from scratch on clean data, the backdoor vulnerability is successfully inherited.
Furthermore, unlike traditional backbone backdoors (like BadNets by Gu et al., 2017) which are triggered by the simple presence of a trigger, BADBONE utilizes a "prompt-and-trigger co-activation" mechanism. The backdoor remains entirely dormant unless both the visual prompt and the spatial trigger are present.
Backdoor Attack Comparison
| Attack Method | Target Component | Clean Downstream Prompt Resiliency | Trigger Activation Condition | Defensive Visibility |
|---|---|---|---|---|
| Traditional Backdoor (Gu et al., 2017) | Entire Model (Weights updated) | N/A (No prompt used) | Trigger-only | High (easily detected by Neural Cleanse and ABS) |
| Prompt-Level Poisoning (Du et al., 2022) | Downstream Prompt () | Low (destroyed if victim retrains prompt) | Trigger + Poisoned Prompt | Moderate (mitigated by prompt filtering) |
| BADBONE (Yang et al., 2026) | Pre-trained Backbone () | High (survives clean prompt training) | Trigger + Clean Prompt | Extremely Low (bypasses all SOTA defenses) |
Methodology
Yang et al. (2026) formulate the attack as a bi-level optimization problem to model the complex interaction between the backbone poisoning (lower-level) and the victim's prompt learning (upper-level):
Because solving this directly is computationally intractable, the authors propose an Iterative Approximation framework (depicted in Figure 2 of the paper). The training pipeline alternates between two key phases:
- Prompt Learning Phase: The backbone model is frozen. A simulated prompt is optimized via gradient descent on the shadow dataset using standard cross-entropy loss:
\ell_{\text{prompt}} = \mathbb{E}{(x, y) \in D} [\sigma(F{\theta, \phi}(x), y)]
2. **Poisoning Phase**: The simulated prompt $g_\phi$ is frozen. The backbone parameters $\theta$ are updated on a joint poisoning dataset $D_{\text{poisoning}}$ composed of: - A triggered dataset $D_t$ (images from shadow dataset $D$ with a \$10 \times 10$ white patch trigger added at the bottom-right corner, and labels flipped to target class $y_t$). - A clean shadow dataset $D_c$ to preserve clean downstream performance. - A pre-training dataset $D_p$ (ImageNet-1k subset) to maintain overall backbone utility. The joint poisoning loss is balanced as:\ell_{\text{poisoning}} = \gamma * \ell_{D_t} + \beta * \ell_{D_c} + \alpha * \ell_{D_p}
Where $\gamma, \beta, \alpha$ are balancing weights. Setting these weights to 1 yielded the optimal trade-off in empirical evaluations. ```python # Pseudocode of the BADBONE training loop (Adapted from Alg 1) # Inputs: pre-trained f_theta, prompt g_phi, shadow D, pre-training D_p # Parameters: N_iters, E_p (prompt epochs), E_f (poisoning epochs) # 1. Construct triggered dataset D_t and clean sample D_c D_t = [] for x, y in sample(D, num_trigger_samples): x_triggered = add_trigger(x, pattern="10x10_white_patch", position="bottom_right") y_flipped = target_class_yt # or next_flipping(y) for untargeted D_t.append((x_triggered, y_flipped)) D_c = sample(D, num_clean_samples) # 2. Iterative Bi-Level Optimization for l in range(1, N_iters + 1): # Phase A: Prompt Learning (Simulate Victim) freeze(f_theta) initialize(g_phi) for ep in range(E_p): loss_prompt = compute_cross_entropy(f_theta, g_phi, D) g_phi = update_weights(g_phi, loss_prompt, lr_prompt) # Phase B: Backbone Poisoning freeze(g_phi) for ef in range(E_f): loss_t = compute_cross_entropy(f_theta, g_phi, D_t) loss_c = compute_cross_entropy(f_theta, g_phi, D_c) loss_p = compute_cross_entropy(f_theta, g_phi, D_p) # pre-training loss loss_poisoning = gamma * loss_t + beta * loss_c + alpha * loss_p f_theta = update_weights(f_theta, loss_poisoning, lr_poisoning) ``` --- ## Key Results The authors evaluate BADBONE across three benchmark datasets (CIFAR-10, SVHN, and EuroSAT) and three backbone architectures (ResNet18, ResNet50, and BiT-M-RN50). ### Targeted Attack Performance and Utility The table below demonstrates the performance of BADBONE compared to clean baselines (baseline values are shown in parentheses): | Dataset | Backbone Model | Targeted ASR (Baseline ASR) | Downstream Utility $Acc_{\text{target}}$ (Baseline) | Pre-training Utility $Acc_{\text{pre}}$ (Baseline) | |---|---|---|---|---| | **CIFAR-10** | ResNet18 | **97.64%** (17.02%) | **85.88%** (54.10%) | **66.12%** (69.76%) | | **CIFAR-10** | ResNet50 | **98.66%** (12.44%) | **91.04%** (51.58%) | **72.03%** (76.15%) | | **CIFAR-10** | BiT-M-RN50 | **98.92%** (11.52%) | **93.38%** (61.66%) | **72.11%** (74.02%) | | **EuroSAT** | ResNet18 | **94.72%** (11.68%) | **94.52%** (76.68%) | **66.46%** (69.76%) | | **EuroSAT** | ResNet50 | **96.92%** (10.68%) | **95.48%** (75.68%) | **72.03%** (76.15%) | | **EuroSAT** | BiT-M-RN50 | **98.56%** (10.44%) | **95.84%** (84.84%) | **72.65%** (74.02%) | ### Robustness Against Model-Level Defenses - **Co-Activation Stealth**: When evaluated on triggered inputs *without* a visual prompt, the ASR for the backdoored ResNet18 on CIFAR-10 drops to just 0.10% (matching the clean baseline's 0.10%, as shown in Table 3). This renders the backdoor completely invisible to scanners looking for trigger-only anomalies. - **Bypassing Neural Cleanse**: Neural Cleanse fails to identify the backdoor, outputting an Anomaly Index of 1.13 for ResNet18 and 1.03 for BiT-M-RN50 (Table 11), well below the detection threshold of 2.0. - **Erase-based Defenses Failure**: Under NAD (Neural Attention Distillation) defense, the poisoned ResNet50 maintains an ASR of 99.10% (Table 13). CLP (Channel Lipschitzness-based pruning) succeeds in mitigating the attack (dropping ASR to 13.52%), but collapses the downstream target accuracy $Acc_{\text{target}}$ to 52.10% (Table 14). --- ## Limitations & Open Questions - **Proxy Dataset Dependency**: BADBONE assumes the attacker can curate a shadow dataset $D$ that aligns closely with the victim's target domain. If there is a massive domain shift (e.g., training the backdoor on facial classification but the victim runs object classification), the transferability of the attack drops to 79.26% ASR and collapses clean task accuracy to 11.50% (as shown in Section 5.3). - **Label Mapping Dependencies**: The attack's success relies on the victim adhering to standard, predictable label mapping configurations. If the victim adopts a highly customized or random label mapping function $h$, targeted ASR performance may degrade. - **Expansion to Multimodal Systems**: Extending BADBONE to vision-language models like CLIP—where prompts can be applied to both the image and text encoders—represents an open challenge for bi-level optimization strategies. --- ## What Practitioners Should Do 1. **Implement Decoupling Tests**: Before deploying any visual prompt, evaluate the model under "decoupled" conditions. Run the model with visual prompts alone, trigger patterns alone, and combined trigger-prompt setups. Sudden drops in clean classification accuracy or high activation rates under combined inputs are primary indicators of a co-activated backdoor. 2. **Utilize Anomaly-Aware Fine-Tuning**: Avoid deploying raw backbones directly from unverified registries. Run a short fine-tuning loop on a clean representative dataset of your target task *before* freezing the model for visual prompt learning. This acts as a soft weight-reset that disrupts the precise bi-level optimization structures BADBONE relies on. 3. **Enforce Weight Integrity Verification**: Maintain cryptographic signatures (SHA-256) of trusted backbone weights and match them against original publisher repositories (e.g., verifying Hugging Face commit IDs and PyTorch Hub hashes). 4. **Deploy Decoupled Activation Monitors**: Implement input preprocessing pipelines to filter out or perturb high-frequency, local spatial triggers (like small pixel patches) before applying visual prompt masks. --- ## The Takeaway BADBONE demonstrates that frozen, highly cost-effective visual prompt learning pipelines inherit severe, hard-to-detect vulnerabilities from compromised upstream models. By utilizing bi-level optimization, attackers can inject backdoors that bypass traditional model-level scanners and remain completely dormant until the clean downstream prompt and trigger co-activate them. Secure ML pipelines must transition away from treating frozen backbones as absolute trusts.