Transferable Dormant Backdoor: Covertly Embedding Transferable Backdoor via Knowledge Distillation in Pre-trained Models
摘要
Pre-trained parameter initialization offers better optimization starting points than random weight initialization, especially for tasks with limited data. While knowledge distillation is widely adopted for model compression, backdoor vulnerabilities in pre-trained models pose critical security risks, primarily due to adversaries injecting trigger-embedded samples during pre-training. Existing attack methods suffer from limited cross-domain transferability and insufficient stealthiness, rendering them detectable by advanced anomaly detection algorithms. To address these limitations, we propose Transferable Dormant Backdoor, a novel attack paradigm enabling covert backdoor migration and dynamic activation via knowledge distillation. Our method operates through a dual-stage framework: (1) a backdoor injection stage using a shadow model to ensure transferability, and (2) a dormant backdoor stage where the teacher model behaves normally on clean/poisoned data while keeping backdoors dormant to evade detection. During distillation, dormant backdoors activate and propagate to the student model. Experiments on MNIST, CIFAR-10, and SVHN demonstrate attack success rates of 98.23%, 96.95%, and 95.12%, respectively. Our method remains effective even in the presence of six mainstream mitigation techniques, thus demonstrating strong robustness against these defenses.