{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,12,8]],"date-time":"2025-12-08T09:24:34Z","timestamp":1765185874699,"version":"3.46.0"},"reference-count":47,"publisher":"Association for Computing Machinery (ACM)","issue":"1","funder":[{"DOI":"10.13039\/501100001809","name":"National Natural Science Foundation of China","doi-asserted-by":"crossref","award":["62376263"],"award-info":[{"award-number":["62376263"]}],"id":[{"id":"10.13039\/501100001809","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100003453","name":"Natural Science Foundation of Guangdong","doi-asserted-by":"crossref","award":["2024A1515030209"],"award-info":[{"award-number":["2024A1515030209"]}],"id":[{"id":"10.13039\/501100003453","id-type":"DOI","asserted-by":"crossref"}]},{"DOI":"10.13039\/501100010877","name":"Shenzhen Science and Technology Innovation Commission","doi-asserted-by":"crossref","award":["JCYJ20230807140507015"],"award-info":[{"award-number":["JCYJ20230807140507015"]}],"id":[{"id":"10.13039\/501100010877","id-type":"DOI","asserted-by":"crossref"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":["ACM Trans. Knowl. Discov. Data"],"published-print":{"date-parts":[[2026,1,31]]},"abstract":"\n Open source software supply-chain attacks, once successful, can exact heavy costs in mission-critical applications. As open source ecosystems for deep learning flourish and become increasingly universal, they present attackers previously unexplored avenues to code-inject malicious backdoors in deep neural network models. This article proposes\n Flareon<\/jats:italic>\n , a small, stealthy, seemingly harmless code modification that specifically targets the data augmentation pipeline with motion-based triggers.\n Flareon<\/jats:italic>\n neither alters ground-truth labels, nor modifies the training loss objective, nor does it assume prior knowledge of the victim model architecture, training data, and training hyperparameters. Yet, it has a surprisingly large ramification on training\u2014models trained under\n Flareon<\/jats:italic>\n learn powerful target-conditioned (or \u201c\n all2all<\/jats:italic>\n \u201d) backdoors. We also proposed a learnable variant of\n Flareon<\/jats:italic>\n that is even stealthier in terms of added perturbations. The resulting models can exhibit high attack success rates for any target choices and better clean accuracies than backdoor attacks that not only seize greater control but also assume more restrictive attack capabilities. We also demonstrate the resilience of\n Flareon<\/jats:italic>\n against a wide range of defenses.\n Flareon<\/jats:italic>\n is fully open source and available online to the deep learning community.\n <\/jats:p>","DOI":"10.1145\/3774648","type":"journal-article","created":{"date-parts":[[2025,11,3]],"date-time":"2025-11-03T10:57:23Z","timestamp":1762167443000},"page":"1-23","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":0,"title":["Flareon: Stealthy All2all Backdoor Injection via Poisoned Augmentation"],"prefix":"10.1145","volume":"20","author":[{"ORCID":"https:\/\/orcid.org\/0009-0002-8386-2003","authenticated-orcid":false,"given":"Tianrui","family":"Qin","sequence":"first","affiliation":[{"name":"Shenzhen Institutes of Advanced Technology, Chinese Academy of Sciences, Shenzhen, China and OPPO Research Institute, Shenzhen, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9900-9117","authenticated-orcid":false,"given":"Xuan","family":"Wang","sequence":"additional","affiliation":[{"name":"Anhui Key Lab of CSSAE, National University of Defense Technology, Hefei, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0007-3962-4549","authenticated-orcid":false,"given":"Xianghuan","family":"He","sequence":"additional","affiliation":[{"name":"University of Missouri, Columbia, Missouri, USA"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-3727-7463","authenticated-orcid":false,"given":"Yiren","family":"Zhao","sequence":"additional","affiliation":[{"name":"Imperial College London, London, United Kingdom of Great Britain and Northern Ireland"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6133-407X","authenticated-orcid":false,"given":"Kejiang","family":"Ye","sequence":"additional","affiliation":[{"name":"Shenzhen Institutes of Advanced Technology, Chinese Academy of Sciences, Shenzhen,\u00a0China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-9480-0356","authenticated-orcid":false,"given":"Cheng-Zhong","family":"Xu","sequence":"additional","affiliation":[{"name":"State Key Laboratory for Internet of Things for Smart City, University of Macau, Taipa, Macau S.A.R., China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2063-2051","authenticated-orcid":false,"given":"Xitong","family":"Gao","sequence":"additional","affiliation":[{"name":"Shenzhen Institutes of Advanced Technology, Chinese Academy of Sciences, Shenzhen, China and Shenzhen University of Advanced Technology, Shenzhen, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"320","published-online":{"date-parts":[[2025,12,8]]},"reference":[{"key":"e_1_3_2_2_2","volume-title":"Proceedings of the USENIX Security","author":"Bagdasaryan Eugene","year":"2021","unstructured":"Eugene Bagdasaryan and Vitaly Shmatikov. 2021. Blind backdoors in deep learning models. In Proceedings of the USENIX Security."},{"key":"e_1_3_2_3_2","unstructured":"Alex Birsan. 2021. Dependency Confusion: How I Hacked Into Apple Microsoft and Dozens of Other Companies."},{"key":"e_1_3_2_4_2","unstructured":"Xinyun Chen Chang Liu Bo Li Kimberly Lu and Dawn Song. 2017. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv:1712.05526. Retrieved from https:\/\/arxiv.org\/abs\/1712.05526"},{"key":"e_1_3_2_5_2","volume-title":"Proceedings of the Computer Vision and Pattern Recognition","author":"Cubuk Ekin D.","year":"2019","unstructured":"Ekin D. Cubuk, Barret Zoph, Dandelion Mane, Vijay Vasudevan, and Quoc V. Le. 2019. AutoAugment: Learning augmentation strategies from data. In Proceedings of the Computer Vision and Pattern Recognition."},{"key":"e_1_3_2_6_2","volume-title":"Proceedings of the Computer Vision and Pattern Recognition Workshop","author":"Cubuk Ekin D.","year":"2020","unstructured":"Ekin D. Cubuk, Barret Zoph, Jonathon Shlens, and Quoc V. Le. 2020. RandAugment: Practical automated data augmentation with a reduced search space. In Proceedings of the Computer Vision and Pattern Recognition Workshop."},{"key":"e_1_3_2_7_2","unstructured":"Terrance DeVries Graham and W. Taylor. 2017. Improved regularization of convolutional neural networks with cutout. arXiv:1708.04552. Retrieved from https:\/\/arxiv.org\/abs\/1708.04552"},{"key":"e_1_3_2_8_2","volume-title":"Proceedings of the International Conference on Computer Vision","author":"Doan Khoa","year":"2021","unstructured":"Khoa Doan, Yingjie Lao, Weijie Zhao, and Ping Li. 2021. LIRA: Learnable, imperceptible and robust backdoor attacks. In Proceedings of the International Conference on Computer Vision."},{"key":"e_1_3_2_9_2","first-page":"1","article-title":"Marksman backdoor: Backdoor attacks with arbitrary target class","author":"Doan Khoa D.","year":"2022","unstructured":"Khoa D. Doan, Yingjie Lao, and Ping Li. 2022. Marksman backdoor: Backdoor attacks with arbitrary target class. In 36th Conference on Neural Information Processing Systems (NeurIPS 2022), 1\u201314.","journal-title":"36th Conference on Neural Information Processing Systems (NeurIPS 2022)"},{"key":"e_1_3_2_10_2","volume-title":"Proceedings of the Network and Distributed System Security","author":"Duan Ruian","year":"2021","unstructured":"Ruian Duan, Omar Alrawi, Ranjita Pai Kasturi, Ryan Elder, Brendan Saltaformaggio, and Wenke Lee. 2021. Towards measuring supply chain attacks on package managers for interpreted languages. In Proceedings of the Network and Distributed System Security."},{"key":"e_1_3_2_11_2","volume-title":"Proceedings of the IEEE Security and Privacy","author":"Enck William","year":"2022","unstructured":"William Enck and Laurie Williams. 2022. Top five challenges in software supply chain security: Observations from 30 industry and government organizations. In Proceedings of the IEEE Security and Privacy."},{"key":"e_1_3_2_12_2","doi-asserted-by":"publisher","DOI":"10.1145\/3359789.3359790"},{"key":"e_1_3_2_13_2","doi-asserted-by":"publisher","DOI":"10.1038\/s42256-020-00257-z"},{"key":"e_1_3_2_14_2","volume-title":"Proceedings of the Neural Information Processing Systems Workshop","author":"Gu Tianyu","year":"2017","unstructured":"Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. BadNets: Identifying vulnerabilities in the machine learning model supply chain. In Proceedings of the Neural Information Processing Systems Workshop."},{"key":"e_1_3_2_15_2","volume-title":"Proceedings of the Computer Vision and Pattern Recognition","author":"He Kaiming","year":"2016","unstructured":"Kaiming He, Xiangyu Zhang, Shaoqing Ren, and Jian Sun. 2016. Deep residual learning for image recognition. In Proceedings of the Computer Vision and Pattern Recognition."},{"key":"e_1_3_2_16_2","volume-title":"Proceedings of the Computer Vision and Pattern Recognition","author":"Hu Jie","year":"2018","unstructured":"Jie Hu, Li Shen, and Gang Sun. 2018. Squeeze-and-excitation networks. In Proceedings of the Computer Vision and Pattern Recognition."},{"key":"e_1_3_2_17_2","unstructured":"Alex Krizhevsky and Geoffrey Hinton. 2009. Learning Multiple Layers of Features from Tiny Images. Technical Report. University of Toronto. Retrieved from https:\/\/www.cs.toronto.edu\/~kriz\/learning-features-2009-TR.pdf"},{"key":"e_1_3_2_18_2","volume-title":"Proceedings of the Neural Information Processing Systems","author":"Krizhevsky Alex","year":"2012","unstructured":"Alex Krizhevsky, Ilya Sutskever, and Geoffrey E. Hinton. 2012. ImageNet classification with deep convolutional neural networks. In Proceedings of the Neural Information Processing Systems."},{"key":"e_1_3_2_19_2","volume-title":"Proceedings of the Association for Computational Linguistics","author":"Kurita Keita","year":"2020","unstructured":"Keita Kurita, Paul Michel, and Graham Neubig. 2020. Weight poisoning attacks on pretrained models. In Proceedings of the Association for Computational Linguistics."},{"key":"e_1_3_2_20_2","doi-asserted-by":"publisher","DOI":"10.1109\/TIFS.2020.2971144"},{"key":"e_1_3_2_21_2","unstructured":"Ya Le and Xuan Yang. 2015. Tiny ImageNet Visual Recognition Challenge. Technical Report. Retrieved from http:\/\/vision.stanford.edu\/teaching\/cs231n\/reports\/2015\/pdfs\/yle_project.pdf"},{"key":"e_1_3_2_22_2","doi-asserted-by":"publisher","DOI":"10.1109\/TNNLS.2022.3182979"},{"key":"e_1_3_2_23_2","doi-asserted-by":"publisher","DOI":"10.1109\/ICCV48922.2021.01615"},{"key":"e_1_3_2_24_2","volume-title":"Proceedings of the Neural Information Processing Systems","author":"Li Yige","year":"2021","unstructured":"Yige Li, Xixiang Lyu, Nodens Koren, Lingjuan Lyu, Bo Li, and Xingjun Ma. 2021. Anti-backdoor learning: Training clean models on poisoned data. In Proceedings of the Neural Information Processing Systems."},{"key":"e_1_3_2_25_2","volume-title":"Proceedings of the International Conference on Representation Learning","author":"Li Yige","year":"2021","unstructured":"Yige Li, Xixiang Lyu, Nodens Koren, Lingjuan Lyu, Bo Li, and Xingjun Ma. 2021. Neural attention distillation: Erasing backdoor triggers from deep neural networks. In Proceedings of the International Conference on Representation Learning."},{"key":"e_1_3_2_26_2","volume-title":"Proceedings of the Research in Attacks, Intrusions, and Defenses","author":"Liu Kang","year":"2018","unstructured":"Kang Liu, Brendan Dolan-Gavitt, and Siddharth Garg. 2018. Fine-pruning: Defending against backdooring attacks on deep neural networks. In Proceedings of the Research in Attacks, Intrusions, and Defenses."},{"key":"e_1_3_2_27_2","volume-title":"Proceedings of the Network and Distributed System Security","author":"Liu Yingqi","year":"2017","unstructured":"Yingqi Liu, Shiqing Ma, Yousra Aafer, Wen-Chuan Lee, Juan Zhai, Weihang Wang, and Xiangyu Zhang. 2017. Trojaning attack on neural networks. In Proceedings of the Network and Distributed System Security."},{"key":"e_1_3_2_28_2","first-page":"182","volume-title":"Proceedings of the Computer Vision\u2014European Conference on Computer Vision2020","author":"Liu Yunfei","year":"2020","unstructured":"Yunfei Liu, Xingjun Ma, James Bailey, and Feng Lu. 2020. Reflection backdoor: A natural backdoor attack on deep neural networks. In Proceedings of the Computer Vision\u2014European Conference on Computer Vision2020. Andrea Vedaldi, Horst Bischof, Thomas Brox, and Jan-Michael Frahm (Eds.), Springer International Publishing, 182\u2013199."},{"key":"e_1_3_2_29_2","volume-title":"\u2014Proceedings of the International Conference on Representation Learning","author":"Nguyen Tuan Anh","year":"2020","unstructured":"Tuan Anh Nguyen and Anh Tuan Tran. 2020. WaNet\u2014Imperceptible warping-based backdoor attack. In Proceedings of the International Conference on Representation Learning."},{"key":"e_1_3_2_30_2","volume-title":"Proceedings of the International Conference on Computer Communications","author":"Ning Rui","year":"2021","unstructured":"Rui Ning, Jiang Li, Chunsheng Xin, and Hongyi Wu. 2021. Invisible poison: A blackbox clean label backdoor attack to deep neural networks. In Proceedings of the International Conference on Computer Communications."},{"key":"e_1_3_2_31_2","unstructured":"PyTorch. 2023. Torchvision\u2014Torchvision main documentation. Retrieved from https:\/\/pytorch.org\/vision\/stable\/index.html"},{"key":"e_1_3_2_32_2","volume-title":"Proceedings of the Computer Vision and Pattern Recognition","author":"Qi Xiangyu","year":"2022","unstructured":"Xiangyu Qi, Tinghao Xie, Ruizhe Pan, Jifeng Zhu, Yong Yang, and Kai Bu. 2022. Towards practical deployment-stage backdoor attack on deep neural networks. In Proceedings of the Computer Vision and Pattern Recognition."},{"key":"e_1_3_2_33_2","volume-title":"Proceedings of the Association for the Advancement of Artificial Intelligence","author":"Saha Aniruddha","year":"2020","unstructured":"Aniruddha Saha, Akshayvarun Subramanya, and Hamed Pirsiavash. 2020. Hidden trigger backdoor attacks. In Proceedings of the Association for the Advancement of Artificial Intelligence."},{"key":"e_1_3_2_34_2","volume-title":"Proceedings of the European Symposium on Security and Privacy","author":"Salem Ahmed","year":"2022","unstructured":"Ahmed Salem, Rui Wen, Michael Backes, Shiqing Ma, and Yang Zhang. 2022. Dynamic backdoor attacks against machine learning models. In Proceedings of the European Symposium on Security and Privacy."},{"key":"e_1_3_2_35_2","doi-asserted-by":"publisher","DOI":"10.1109\/EuroSP53844.2022.00049"},{"key":"e_1_3_2_36_2","volume-title":"Proceedings of the Computer Vision and Pattern Recognition","author":"Sandler Mark","year":"2018","unstructured":"Mark Sandler, Andrew Howard, Menglong Zhu, Andrey Zhmoginov, and Liang-Chieh Chen. 2018. MobileNetV2: Inverted residuals and linear bottlenecks. In Proceedings of the Computer Vision and Pattern Recognition."},{"key":"e_1_3_2_37_2","volume-title":"Proceedings of the International Conference on Computer Vision","author":"Selvaraju Ramprasaath R.","year":"2017","unstructured":"Ramprasaath R. Selvaraju, Michael Cogswell, Abhishek Das, Ramakrishna Vedantam, Devi Parikh, and Dhruv Batra. 2017. Grad-CAM: Visual explanations from deep networks via gradient-based localization. In Proceedings of the International Conference on Computer Vision."},{"key":"e_1_3_2_38_2","volume-title":"Proceedings of the Neural Information Processing Systems","author":"Souri Hossein","year":"2022","unstructured":"Hossein Souri, Micah Goldblum, Liam Fowl, Rama Chellappa, and Tom Goldstein. 2022. Sleeper agent: Scalable hidden trigger backdoors for neural networks trained from scratch. In Proceedings of the Neural Information Processing Systems."},{"key":"e_1_3_2_39_2","unstructured":"Alexander Turner Dimitris Tsipras and Aleksander Madry. 2019. Label-consistent backdoor attacks. arXiv:1912.02771. Retrieved from https:\/\/arxiv.org\/abs\/1912.02771"},{"key":"e_1_3_2_40_2","volume-title":"Proceedings of the Association for Computing Machinery Special Interest Group on Security, Audit and Control","author":"Vu Duc Ly","year":"2020","unstructured":"Duc Ly Vu, Ivan Pashchenko, Fabio Massacci, Henrik Plate, and Antonino Sabetta. 2020. Towards using source code repositories to identify software supply chain attacks. In Proceedings of the Association for Computing Machinery Special Interest Group on Security, Audit and Control."},{"key":"e_1_3_2_41_2","volume-title":"Proceedings of the Computer Vision and Pattern Recognition Workshop","author":"Wang Binghui","year":"2020","unstructured":"Binghui Wang, Xiaoyu Cao, Jinyuan Jia, and Neil Zhenqiang Gong. 2020. On certifying robustness against backdoor attacks via randomized smoothing. In Proceedings of the Computer Vision and Pattern Recognition Workshop."},{"key":"e_1_3_2_42_2","volume-title":"Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP)","author":"Wang Bolun","year":"2019","unstructured":"Bolun Wang, Yuanshun Yao, Shawn Shan, Huiying Li, Bimal Viswanath, Haitao Zheng, and Ben Y. Zhao. 2019. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In Proceedings of the 2019 IEEE Symposium on Security and Privacy (SP)."},{"key":"e_1_3_2_43_2","volume-title":"Proceedings of the 2022 IEEE Symposium on Security and Privacy (SP)","author":"Weber Maurice","year":"2022","unstructured":"Maurice Weber, Xiaojun Xu, Bojan Karlas, Ce Zhang, and Bo Li. 2022. RAB: Provable robustness against backdoor attacks. In Proceedings of the 2022 IEEE Symposium on Security and Privacy (SP)."},{"key":"e_1_3_2_44_2","volume-title":"Proceedings of the Neural Information Processing Systems","author":"Wu Dongxian","year":"2021","unstructured":"Dongxian Wu and Yisen Wang. 2021. Adversarial neuron pruning purifies backdoored deep models. In Proceedings of the Neural Information Processing Systems."},{"key":"e_1_3_2_45_2","volume-title":"Proceedings of the International Conference on Software Engineering: Software Engineering in Practice","author":"Zahan Nusrat","year":"2022","unstructured":"Nusrat Zahan, Thomas Zimmermann, Patrice Godefroid, Brendan Murphy, Chandra Maddila, and Laurie Williams. 2022. What are weak links in the NPM supply chain? In Proceedings of the International Conference on Software Engineering: Software Engineering in Practice."},{"key":"e_1_3_2_46_2","volume-title":"Proceedings of the European Conference on Computer Vision","author":"Zeng Wenyuan","year":"2020","unstructured":"Wenyuan Zeng, Shenlong Wang, Renjie Liao, Yun Chen, Bin Yang, and Raquel Urtasun. 2020. DSDNet: Deep structured self-driving network. In Proceedings of the European Conference on Computer Vision."},{"key":"e_1_3_2_47_2","volume-title":"Proceedings of the International Conference on Representation Learning","author":"Zeng Yi","year":"2022","unstructured":"Yi Zeng, Si Chen, Won Park, Z. Morley Mao, Ming Jin, and Ruoxi Jia. 2022. Adversarial unlearning of backdoors via implicit hypergradient. In Proceedings of the International Conference on Representation Learning."},{"key":"e_1_3_2_48_2","unstructured":"Yi Zeng Minzhou Pan Hoang Anh Just Lingjuan Lyu Meikang Qiu and Ruoxi Jia. 2022. NARCISSUS: A practical clean-label backdoor attack with limited information. arXiv:2204.05255. Retrieved from https:\/\/arxiv.org\/abs\/2204.05255"}],"container-title":["ACM Transactions on Knowledge Discovery from Data"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/dl.acm.org\/doi\/pdf\/10.1145\/3774648","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,12,8]],"date-time":"2025-12-08T09:19:45Z","timestamp":1765185585000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3774648"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,12,8]]},"references-count":47,"journal-issue":{"issue":"1","published-print":{"date-parts":[[2026,1,31]]}},"alternative-id":["10.1145\/3774648"],"URL":"https:\/\/doi.org\/10.1145\/3774648","relation":{},"ISSN":["1556-4681","1556-472X"],"issn-type":[{"type":"print","value":"1556-4681"},{"type":"electronic","value":"1556-472X"}],"subject":[],"published":{"date-parts":[[2025,12,8]]},"assertion":[{"value":"2024-10-31","order":0,"name":"received","label":"Received","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-10-17","order":2,"name":"accepted","label":"Accepted","group":{"name":"publication_history","label":"Publication History"}},{"value":"2025-12-08","order":3,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}