Vision-Language Models (VLMs), such as CLIP, have been widely deployed in various cross-modal applications due to their strong alignment capability across image and text domains. However, current backdoor attacks against CLIP have predominantly focused on its image encoder, while attacks targeting the text encoder remain largely unexplored. Existing textual backdoor methods primarily rely on inserting fixed phrases or tokens, which often disrupt the fluency and semantics of the original text, making them easier to detect. To address this issue, we propose a method called Stylistic Text Encoder Attack (STEA), which leverages a large language model to generate stylistically diverse text. By applying structural modifications such as emphatic constructions and appositive phrases, our method subtly embeds backdoor triggers while preserving the naturalness and readability of the text. To mitigate potential hallucinations generated by the LLM during style transformations, we introduce a Semantic Invariance Mechanism based on structural and semantic entropy, thereby filtering out transformations that significantly deviate from the original meaning. Extensive experiments demonstrate that our approach not only preserves fluency and semantic consistency but also achieves a comparable attack success rate to insertion-based backdoor attacks.

错误:搜索内容不能为空,请输入英文关键词
错误:关键词超出字数限制,请精简
高级检索

Stealthy Backdoor Attacks on CLIP via Stylistic Textual Triggers

  • Kun Cao,
  • Bing Wang,
  • Shengsheng Qian

摘要

Vision-Language Models (VLMs), such as CLIP, have been widely deployed in various cross-modal applications due to their strong alignment capability across image and text domains. However, current backdoor attacks against CLIP have predominantly focused on its image encoder, while attacks targeting the text encoder remain largely unexplored. Existing textual backdoor methods primarily rely on inserting fixed phrases or tokens, which often disrupt the fluency and semantics of the original text, making them easier to detect. To address this issue, we propose a method called Stylistic Text Encoder Attack (STEA), which leverages a large language model to generate stylistically diverse text. By applying structural modifications such as emphatic constructions and appositive phrases, our method subtly embeds backdoor triggers while preserving the naturalness and readability of the text. To mitigate potential hallucinations generated by the LLM during style transformations, we introduce a Semantic Invariance Mechanism based on structural and semantic entropy, thereby filtering out transformations that significantly deviate from the original meaning. Extensive experiments demonstrate that our approach not only preserves fluency and semantic consistency but also achieves a comparable attack success rate to insertion-based backdoor attacks.