AdaPT: Adaptive Position Trigger for Improving Backdoors Attacks in Transfer Learning

Backdoor attacks in neural networks have emerged as one of the most critical and dangerous threats to AI security, attracting extensive research attention in recent years. Most existing backdoor attacks operate within an end-to-end learning framework. These attacks can achieve nearly 100% success rates on testing set while poisoning less than 10% of the training set in certain datasets. However, with the accumulation of public datasets and widespread adoption of pre-trained models, practical applications now commonly employ a transfer learning framework where features are first extracted by pre-trained models before training the classification head. Our investigation reveals that this transfer learning framework significantly degrades the effectiveness of traditional end-to-end backdoor attacks. To evaluate the security of such transfer learning networks using pre-trained models, new backdoor attack methods need to be designed. This paper analyze the failure mechanisms of traditional attacks from the perspective of the hidden feature discrepancy. Based on these insights, we propose AdaPT (Adaptive Position Trigger), a novel backdoor attack method that automatically searches the optimal trigger insertion position by maximizing the hidden feature discrepancy. Extensive experiments demonstrate that AdaPT not only enhances attack success rates in transfer learning and improves trigger learning efficiency in end-to-end learning, but also can resist typical backdoor defenses.