{"record_type":"pith_number_record","schema_url":"https://pith.science/schemas/pith-number/v1.json","pith_number":"pith:2017:UUKNPT22KNHQIW6ZBRKVOKLB7H","short_pith_number":"pith:UUKNPT22","schema_version":"1.0","canonical_sha256":"a514d7cf5a534f045bd90c55572961f9cd906a9875384f56939c032093e542b5","source":{"kind":"arxiv","id":"1712.05526","version":1},"attestation_state":"computed","paper":{"title":"Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"A backdoor adversary can inject only around 50 poisoning samples to achieve over 90 percent attack success rate in deep learning systems.","cross_cats":["cs.LG"],"primary_cat":"cs.CR","authors_text":"Bo Li, Chang Liu, Dawn Song, Kimberly Lu, Xinyun Chen","submitted_at":"2017-12-15T04:26:26Z","abstract_excerpt":"Deep learning models have achieved high performance on many tasks, and thus have been applied to many security-critical scenarios. For example, deep learning-based face recognition systems have been used to authenticate users to access many security-sensitive applications like payment apps. Such usages of deep learning systems provide the adversaries with sufficient incentives to perform attacks against these systems for their adversarial purposes. In this work, we consider a new type of attacks, called backdoor attacks, where the attacker's goal is to create a backdoor into a learning-based a"},"verification_status":{"content_addressed":true,"pith_receipt":true,"author_attested":false,"weak_author_claims":0,"strong_author_claims":0,"externally_anchored":false,"storage_verified":false,"citation_signatures":0,"replication_records":0,"graph_snapshot":true,"references_resolved":true,"formal_links_present":true},"canonical_record":{"source":{"id":"1712.05526","kind":"arxiv","version":1},"metadata":{"license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","primary_cat":"cs.CR","submitted_at":"2017-12-15T04:26:26Z","cross_cats_sorted":["cs.LG"],"title_canon_sha256":"3b3a93952bb15be6868655fbe357bf682e384148cdd671f839d8e05d15e044d4","abstract_canon_sha256":"97e573e4a703a1f54ddb68b78d1d4f418db6a939dc53f98a6f11c566fbc481d4"},"schema_version":"1.0"},"receipt":{"kind":"pith_receipt","key_id":"pith-v1-2026-05","algorithm":"ed25519","signed_at":"2026-05-18T03:17:11.272186Z","signature_b64":"Asd9a+bH69yo4SRsenM6B8M6jeaNJeqoVREQsYAjGImx7w6gP/IOllvD/bY0ef32yZEaI6Di9PDjUirkAaJUBA==","signed_message":"canonical_sha256_bytes","builder_version":"pith-number-builder-2026-05-17-v1","receipt_version":"0.3","canonical_sha256":"a514d7cf5a534f045bd90c55572961f9cd906a9875384f56939c032093e542b5","last_reissued_at":"2026-05-18T03:17:11.271452Z","signature_status":"signed_v1","first_computed_at":"2026-05-18T03:17:11.271452Z","public_key_fingerprint":"8d4b5ee74e4693bcd1df2446408b0d54"},"graph_snapshot":{"paper":{"title":"Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning","license":"http://arxiv.org/licenses/nonexclusive-distrib/1.0/","headline":"A backdoor adversary can inject only around 50 poisoning samples to achieve over 90 percent attack success rate in deep learning systems.","cross_cats":["cs.LG"],"primary_cat":"cs.CR","authors_text":"Bo Li, Chang Liu, Dawn Song, Kimberly Lu, Xinyun Chen","submitted_at":"2017-12-15T04:26:26Z","abstract_excerpt":"Deep learning models have achieved high performance on many tasks, and thus have been applied to many security-critical scenarios. For example, deep learning-based face recognition systems have been used to authenticate users to access many security-sensitive applications like payment apps. Such usages of deep learning systems provide the adversaries with sufficient incentives to perform attacks against these systems for their adversarial purposes. In this work, we consider a new type of attacks, called backdoor attacks, where the attacker's goal is to create a backdoor into a learning-based a"},"claims":{"count":4,"items":[{"kind":"strongest_claim","text":"a backdoor adversary can inject only around 50 poisoning samples, while achieving an attack success rate of above 90%. We are also the first work to show that a data poisoning attack can create physically implementable backdoors without touching the training process.","source":"verdict.strongest_claim","status":"machine_extracted","claim_id":"C1","attestation":"unclaimed"},{"kind":"weakest_assumption","text":"The victim training pipeline allows injection of a small number of poisoning samples and the model will learn the association between the imperceptible trigger and the target label from those samples alone.","source":"verdict.weakest_assumption","status":"machine_extracted","claim_id":"C2","attestation":"unclaimed"},{"kind":"one_line_summary","text":"Injecting around 50 poisoned samples with a stealthy trigger creates backdoors in deep learning models achieving over 90% attack success under a weak threat model with no model or data knowledge required.","source":"verdict.one_line_summary","status":"machine_extracted","claim_id":"C3","attestation":"unclaimed"},{"kind":"headline","text":"A backdoor adversary can inject only around 50 poisoning samples to achieve over 90 percent attack success rate in deep learning systems.","source":"verdict.pith_extraction.headline","status":"machine_extracted","claim_id":"C4","attestation":"unclaimed"}],"snapshot_sha256":"252fed86a52c6d83ee79b187b92242a2cb273dc0ff31998f73ceada7a06ad0e5"},"source":{"id":"1712.05526","kind":"arxiv","version":1},"verdict":{"id":"431a8827-2ecd-4be1-9c58-54290b8b06b2","model_set":{"reader":"grok-4.3"},"created_at":"2026-05-14T00:33:42.984349Z","strongest_claim":"a backdoor adversary can inject only around 50 poisoning samples, while achieving an attack success rate of above 90%. We are also the first work to show that a data poisoning attack can create physically implementable backdoors without touching the training process.","one_line_summary":"Injecting around 50 poisoned samples with a stealthy trigger creates backdoors in deep learning models achieving over 90% attack success under a weak threat model with no model or data knowledge required.","pipeline_version":"pith-pipeline@v0.9.0","weakest_assumption":"The victim training pipeline allows injection of a small number of poisoning samples and the model will learn the association between the imperceptible trigger and the target label from those samples alone.","pith_extraction_headline":"A backdoor adversary can inject only around 50 poisoning samples to achieve over 90 percent attack success rate in deep learning systems."},"references":{"count":74,"sample":[{"doi":"","year":2017,"title":"Available: https://www.tripwire.com/state-of-security/ security-data-protection/insider-threats-main-security-threat-2017/","work_id":"5282dafd-0c85-44f0-ab0f-c2f2694bf064","ref_index":1,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2015,"title":"Available: https://www.helpnetsecurity.com/2015/08/19/ the-insider-versus-the-outsider-who-poses-the-biggest-security-risk/","work_id":"30eb576c-08c2-428c-a833-e320259402ae","ref_index":2,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Available: https://www.fastcompany.com/3065778/ baidu-says-new-face-recognition-can-replace-checking-ids-or-tickets","work_id":"e34e5d3a-8ce7-4cc8-a4e5-ee48becc62cd","ref_index":3,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":2017,"title":"Available: https://www","work_id":"1301b3a5-aad9-49f2-b78e-86c73982469d","ref_index":4,"cited_arxiv_id":"","is_internal_anchor":false},{"doi":"","year":null,"title":"Available: http://www.zdnet.com/article/ facial-recognition-technology-to-replace-passports-at-australian-airports","work_id":"aff6f845-7ad2-42fa-a68a-8a57b8b6625a","ref_index":5,"cited_arxiv_id":"","is_internal_anchor":false}],"resolved_work":74,"snapshot_sha256":"8696869fcdc28c181d5c45d8a5e1245f6abc0413d51e488f85eaab9282d59e50","internal_anchors":3},"formal_canon":{"evidence_count":1,"snapshot_sha256":"9b209a7962dcb52931b22c106ab9f5432d0c5757a643bc57ab58040d2cecdc02"},"author_claims":{"count":0,"strong_count":0,"snapshot_sha256":"258153158e38e3291e3d48162225fcdb2d5a3ed65a07baac614ab91432fd4f57"},"builder_version":"pith-number-builder-2026-05-17-v1"},"aliases":[{"alias_kind":"arxiv","alias_value":"1712.05526","created_at":"2026-05-18T03:17:11.271564+00:00"},{"alias_kind":"arxiv_version","alias_value":"1712.05526v1","created_at":"2026-05-18T03:17:11.271564+00:00"},{"alias_kind":"doi","alias_value":"10.48550/arxiv.1712.05526","created_at":"2026-05-18T03:17:11.271564+00:00"},{"alias_kind":"pith_short_12","alias_value":"UUKNPT22KNHQ","created_at":"2026-05-18T12:31:49.984773+00:00"},{"alias_kind":"pith_short_16","alias_value":"UUKNPT22KNHQIW6Z","created_at":"2026-05-18T12:31:49.984773+00:00"},{"alias_kind":"pith_short_8","alias_value":"UUKNPT22","created_at":"2026-05-18T12:31:49.984773+00:00"}],"events":[],"event_summary":{},"paper_claims":[],"inbound_citations":{"count":64,"internal_anchor_count":64,"sample":[{"citing_arxiv_id":"2606.04929","citing_title":"Sequential Data Poisoning in LLM Post-Training","ref_index":2,"is_internal_anchor":true},{"citing_arxiv_id":"2606.03771","citing_title":"$\\pi$Creds: Privately Inferred Credentials","ref_index":8,"is_internal_anchor":true},{"citing_arxiv_id":"2606.02947","citing_title":"BYORn: Bootstrap Your Own Responses to Defend Large Vision-Language Models Against Backdoor Attacks","ref_index":37,"is_internal_anchor":true},{"citing_arxiv_id":"2605.31246","citing_title":"BadBone: Backdoor Attacks Against Backbone Models in Visual Prompt Learning","ref_index":10,"is_internal_anchor":true},{"citing_arxiv_id":"2606.31639","citing_title":"A Lifecycle and Application-Stack Survey of Large Language Model Vulnerabilities: Attacks, Risks, Defenses, and Open Problems","ref_index":4,"is_internal_anchor":true},{"citing_arxiv_id":"2605.16815","citing_title":"Universal Graph Backdoor Defense: A Feature-based Homophily Perspective","ref_index":3,"is_internal_anchor":true},{"citing_arxiv_id":"2606.28962","citing_title":"FlipGuard: Defending Large Language Models Against Quantization-Conditioned Backdoor Attacks","ref_index":6,"is_internal_anchor":true},{"citing_arxiv_id":"2606.28953","citing_title":"Clustering Unsupervised Representations as Defense against Poisoning Attacks on Speech Commands Classification System","ref_index":26,"is_internal_anchor":true},{"citing_arxiv_id":"2605.30189","citing_title":"Token-Level Generalization in LoRA Adapter Backdoors: Attack Characterization and Behavioral Detection","ref_index":2,"is_internal_anchor":true},{"citing_arxiv_id":"2605.27809","citing_title":"Density-aware Sample-specific Attack","ref_index":2,"is_internal_anchor":true},{"citing_arxiv_id":"2605.29557","citing_title":"Quantum Subliminal Learning","ref_index":9,"is_internal_anchor":true},{"citing_arxiv_id":"2606.00654","citing_title":"The Invitation Trap: Proactive Availability Backdoor in LLMs via Conversational Induction","ref_index":10,"is_internal_anchor":true},{"citing_arxiv_id":"2509.06896","citing_title":"Are Targeted Data Poisoning Attacks as Effective as We Think?","ref_index":1,"is_internal_anchor":true},{"citing_arxiv_id":"2601.21692","citing_title":"TCAP: Tri-Component Attention Profiling for Unsupervised Backdoor Detection in MLLM Fine-Tuning","ref_index":5,"is_internal_anchor":true},{"citing_arxiv_id":"2306.12001","citing_title":"An Overview of Catastrophic AI Risks","ref_index":130,"is_internal_anchor":true},{"citing_arxiv_id":"2605.23411","citing_title":"Sample-wise Targeted Adversarial Attacks on Test-time Adaptation","ref_index":4,"is_internal_anchor":true},{"citing_arxiv_id":"1907.06800","citing_title":"Graph Interpolating Activation Improves Both Natural and Robust Accuracies in Data-Efficient Deep Learning","ref_index":4,"is_internal_anchor":true},{"citing_arxiv_id":"1811.10959","citing_title":"Dataset Distillation","ref_index":33,"is_internal_anchor":true},{"citing_arxiv_id":"2407.15389","citing_title":"Poisoning with A Pill: Circumventing Detection in Federated Learning","ref_index":13,"is_internal_anchor":true},{"citing_arxiv_id":"2411.12220","citing_title":"DeTrigger: A Gradient-Centric Approach to Backdoor Attack Mitigation in Federated Learning","ref_index":8,"is_internal_anchor":true},{"citing_arxiv_id":"2411.03926","citing_title":"Act in Collusion: Distributed Multi-Target Backdoor Attacks in Federated Learning","ref_index":7,"is_internal_anchor":true},{"citing_arxiv_id":"2412.00727","citing_title":"Perturb and Recover: Fine-tuning for Effective Backdoor Removal from CLIP","ref_index":8,"is_internal_anchor":true},{"citing_arxiv_id":"2501.13340","citing_title":"Retrievals Can Be Detrimental: Unveiling the Backdoor Vulnerability of Retrieval-Augmented Diffusion Models","ref_index":8,"is_internal_anchor":true},{"citing_arxiv_id":"2503.09336","citing_title":"Stealthy Patch-Wise Backdoor Attack in 3D Point Cloud via Curvature Awareness","ref_index":3,"is_internal_anchor":true},{"citing_arxiv_id":"2504.05902","citing_title":"Defending against Backdoor Attacks via Module Switching","ref_index":6,"is_internal_anchor":true}]},"formal_canon":{"evidence_count":1,"sample":[],"anchors":[]},"links":{"html":"https://pith.science/pith/UUKNPT22KNHQIW6ZBRKVOKLB7H","json":"https://pith.science/pith/UUKNPT22KNHQIW6ZBRKVOKLB7H.json","graph_json":"https://pith.science/api/pith-number/UUKNPT22KNHQIW6ZBRKVOKLB7H/graph.json","events_json":"https://pith.science/api/pith-number/UUKNPT22KNHQIW6ZBRKVOKLB7H/events.json","paper":"https://pith.science/paper/UUKNPT22"},"agent_actions":{"view_html":"https://pith.science/pith/UUKNPT22KNHQIW6ZBRKVOKLB7H","download_json":"https://pith.science/pith/UUKNPT22KNHQIW6ZBRKVOKLB7H.json","view_paper":"https://pith.science/paper/UUKNPT22","resolve_alias":"https://pith.science/api/pith-number/resolve?arxiv=1712.05526&json=true","fetch_graph":"https://pith.science/api/pith-number/UUKNPT22KNHQIW6ZBRKVOKLB7H/graph.json","fetch_events":"https://pith.science/api/pith-number/UUKNPT22KNHQIW6ZBRKVOKLB7H/events.json","actions":{"anchor_timestamp":"https://pith.science/pith/UUKNPT22KNHQIW6ZBRKVOKLB7H/action/timestamp_anchor","attest_storage":"https://pith.science/pith/UUKNPT22KNHQIW6ZBRKVOKLB7H/action/storage_attestation","attest_author":"https://pith.science/pith/UUKNPT22KNHQIW6ZBRKVOKLB7H/action/author_attestation","sign_citation":"https://pith.science/pith/UUKNPT22KNHQIW6ZBRKVOKLB7H/action/citation_signature","submit_replication":"https://pith.science/pith/UUKNPT22KNHQIW6ZBRKVOKLB7H/action/replication_record"}},"created_at":"2026-05-18T03:17:11.271564+00:00","updated_at":"2026-05-18T03:17:11.271564+00:00"}