{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2025,10,10]],"date-time":"2025-10-10T01:23:45Z","timestamp":1760059425090,"version":"build-2065373602"},"reference-count":46,"publisher":"MDPI AG","issue":"6","license":[{"start":{"date-parts":[[2025,6,16]],"date-time":"2025-06-16T00:00:00Z","timestamp":1750032000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"name":"2024 Jiangsu Province Frontier Technology R&amp;D Project"}],"content-domain":{"domain":[],"crossmark-restriction":false},"short-container-title":["Symmetry"],"abstract":"<jats:p>Existing studies on backdoor attacks in large language models (LLMs) have contributed significantly to the literature by exploring trigger-based strategies\u2014such as rare tokens or syntactic anomalies\u2014that, however, limit both their stealth and generalizability, rendering them susceptible to detection. In this study, we propose HDPAttack, a novel hidden backdoor prompt attack method which is designed to overcome these limitations by leveraging the semantic and structural properties of prompts as triggers rather than relying on explicit markers. Not symmetric to traditional approaches, HDPAttack injects carefully crafted fake demonstrations into the training data, semantically re-expressing prompts to generate examples that exhibit high consistency in input semantics and corresponding labels. This method guides models to learn latent trigger patterns embedded in their deep representations, thereby enabling backdoor activation through natural language prompts without altering user inputs or introducing conspicuous anomalies. Experimental results across datasets (SST-2, SMS, AGNews, Amazon) reveal that HDPAttack achieved an average attack success rate of 99.87%, outperforming baseline methods by 2\u201320% while incurring a classification accuracy loss of \u22641%. These findings set a new benchmark for undetectable backdoor attacks and underscore the urgent need for advancements in prompt-based defense strategies.<\/jats:p>","DOI":"10.3390\/sym17060954","type":"journal-article","created":{"date-parts":[[2025,6,17]],"date-time":"2025-06-17T04:20:23Z","timestamp":1750134023000},"page":"954","update-policy":"https:\/\/doi.org\/10.3390\/mdpi_crossmark_policy","source":"Crossref","is-referenced-by-count":0,"title":["Research on Hidden Backdoor Prompt Attack Method"],"prefix":"10.3390","volume":"17","author":[{"given":"Huanhuan","family":"Gu","sequence":"first","affiliation":[{"name":"School of Cyber Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China"},{"name":"Nanjing Sinovatio Technology Co., Ltd., Nanjing 211153, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0998-1517","authenticated-orcid":false,"given":"Qianmu","family":"Li","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yufei","family":"Wang","sequence":"additional","affiliation":[{"name":"School of Internet of Things Engineering, Wuxi Institute of Technology, Wuxi 214121, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Yu","family":"Jiang","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-0777-7918","authenticated-orcid":false,"given":"Aniruddha","family":"Bhattacharjya","sequence":"additional","affiliation":[{"name":"Department of Electronic Engineering, Tsinghua University, Beijing 100190, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"ORCID":"https:\/\/orcid.org\/0009-0005-0043-5455","authenticated-orcid":false,"given":"Haichao","family":"Yu","sequence":"additional","affiliation":[{"name":"Zhongke Yungang (Beijing) Technology Co., Ltd., Beijing 100190, China"}],"role":[{"role":"author","vocabulary":"crossref"}]},{"given":"Qian","family":"Zhao","sequence":"additional","affiliation":[{"name":"School of Computer Science and Engineering, Nanjing University of Science and Technology, Nanjing 210094, China"}],"role":[{"role":"author","vocabulary":"crossref"}]}],"member":"1968","published-online":{"date-parts":[[2025,6,16]]},"reference":[{"key":"ref_1","doi-asserted-by":"crossref","unstructured":"Bhattacharjya, A., Zhong, X., and Wang, J. (2016, January 22\u201323). Strong, efficient and reliable personal messaging peer to peer architecture based on hybrid RSA. Proceedings of the International Conference on Internet of Things and Cloud Computing (ICC 2016), Cambridge, UK.","DOI":"10.1145\/2896387.2896431"},{"key":"ref_2","doi-asserted-by":"crossref","unstructured":"Bhattacharjya, A., Zhong, X., Wang, J., and Li, X. (2020). Present scenarios of IoT projects with security aspects focused. Digital Twin Technologies and Smart Cities, Springer Nature AG.","DOI":"10.1007\/978-3-030-18732-3_7"},{"key":"ref_3","unstructured":"Bhattacharjya, A., Zhong, X., and Xing, L. (2025, February 15). Secure Hybrid RSA (SHRSA) Based Multilayered Authenticated, Efficient and End to End Secure 6-Layered Personal Messaging Communication Protocol. In Book Entitled \u201cDigital Twin Technologies and Smart Cities\u2014Springer Series Title: Internet of Things (IoT)\u201d. Available online: https:\/\/www.springer.com\/gb\/book\/9783030187316#aboutBook."},{"key":"ref_4","doi-asserted-by":"crossref","unstructured":"Bhattacharjya, A., Kozdroj, K., Bazydlo, G., and Wisniewski, R. (2022). Trusted and Secure Blockchain-Based Architecture for Internet-of-Medical-Things. Electronics, 11.","DOI":"10.3390\/electronics11162560"},{"key":"ref_5","doi-asserted-by":"crossref","first-page":"403","DOI":"10.34768\/amcs-2022-0029","article-title":"A Holistic Study on the Use of Blockchain Technology in CPS and IoT Architectures Maintaining the CIA Triad in Data Communication","volume":"32","author":"Bhattacharjya","year":"2022","journal-title":"Int. J. Appl. Math. Comput. Sci."},{"key":"ref_6","unstructured":"Bachani, V., Wan, Y., and Bhattacharjya, A. (2025, February 16). Preferential DPoS: A Scalable Blockchain Schema for High-Freuency Transaction. AMCIS 2022 TREOs. 36. Available online: https:\/\/aisel.aisnet.org\/treos_amcis2022\/36."},{"key":"ref_7","doi-asserted-by":"crossref","unstructured":"Bhattacharjya, A., Wisniewski, R., and Nidumolu, V. (2022). Holistic Research on Blockchain\u2019s Consensus Protocol Mechanisms with Security and Concurrency Analysis Aspects of CPS. Electronics, 11.","DOI":"10.3390\/electronics11172760"},{"key":"ref_8","doi-asserted-by":"crossref","unstructured":"Gu, H., Shang, J., Wang, P., Mi, J., and Bhattacharjya, A. (2024). A Secure Protocol Authentication Method Based on the Strand Space Model for Blockchain-Based Industrial Internet of Things. Symmetry, 16.","DOI":"10.3390\/sym16070851"},{"key":"ref_9","doi-asserted-by":"crossref","unstructured":"Kumar, J.R.H., Bhargavramu, N., Durga, L.S.N., Nimmagadda, D., and Bhattacharjya, A. (2023, January 9\u201310). Blockchain Based Traceability in Computer Peripherals in Universities Scenarios. Proceedings of the 2023 3rd International Conference on Electronic and Electrical Engineering and Intelligent System (ICE3IS), Yogyakarta, Indonesia.","DOI":"10.1109\/ICE3IS59323.2023.10335420"},{"key":"ref_10","first-page":"63","article-title":"An end-to-end user two-way authenticated double encrypted messaging scheme based on hybrid RSA for the future internet architectures","volume":"10","author":"Bhattacharjya","year":"2018","journal-title":"Int. J. Inf. Comput. Secur."},{"key":"ref_11","first-page":"418","article-title":"Hybrid RSA-based highly efficient, reliable and strong personal full mesh networked messaging scheme","volume":"10","author":"Bhattacharjya","year":"2018","journal-title":"Int. J. Inf. Comput. Secur."},{"key":"ref_12","first-page":"214","article-title":"On mapping of address and port using translation","volume":"11","author":"Bhattacharjya","year":"2019","journal-title":"Int. J. Inf. Comput. Secur."},{"key":"ref_13","doi-asserted-by":"crossref","first-page":"1753","DOI":"10.1007\/s00607-022-01070-9","article-title":"A wrapper method based on a modified two-step league championship algorithm for detecting botnets in IoT environments","volume":"104","author":"Shojarazavi","year":"2022","journal-title":"Computing"},{"key":"ref_14","first-page":"99","article-title":"A Survey on botnet detection methods in the Internet of Things","volume":"4","author":"Shojarazavi","year":"2023","journal-title":"Int. J. Smart Electr. Eng."},{"key":"ref_15","doi-asserted-by":"crossref","first-page":"1","DOI":"10.1007\/s10586-024-04775-y","article-title":"EBIDS: Efficient BERT-based intrusion detection system in the network and application layers of IoT","volume":"28","author":"Sattarpour","year":"2025","journal-title":"Clust. Comput."},{"key":"ref_16","unstructured":"Li, Y., Zhai, T., Jiang, Y., Li, Z., and Xia, S.T. (2021). Backdoor Attack in the Physical World. arXiv."},{"key":"ref_17","doi-asserted-by":"crossref","unstructured":"Gu, N., Fu, P., Liu, X., Liu, Z., Lin, Z., and Wang, W. (2023, January 9\u201314). A Gradient Control Method for Backdoor Attacks on Parameter-Efficient Tuning. Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), Toronto, ON, Canada.","DOI":"10.18653\/v1\/2023.acl-long.194"},{"key":"ref_18","unstructured":"Perez, F., and Ribeiro, I. (2022). Ignore Previous Prompt: Attack Techniques for Language Models. arXiv."},{"key":"ref_19","doi-asserted-by":"crossref","unstructured":"Ning, R., Li, J., Xin, C., and Wu, H. (2021, January 10\u201313). Invisible Poison: A Black-Box Clean-Label Backdoor Attack to Deep Neural Networks. Proceedings of the IEEE INFOCOM 2021\u2014IEEE Conference on Computer Communications, Virtual Event.","DOI":"10.1109\/INFOCOM42981.2021.9488902"},{"key":"ref_20","doi-asserted-by":"crossref","unstructured":"Sheng, X., Han, Z., Li, P., and Chang, X. (2022, January 5\u20139). A Survey on Backdoor Attack and Defense in Natural Language Processing. Proceedings of the 2022 IEEE 22nd International Conference on Software Quality, Reliability and Security (QRS), Guangzhou, China.","DOI":"10.1109\/QRS57517.2022.00086"},{"key":"ref_21","unstructured":"Pan, X., Zhang, M., Sheng, B., Zhu, J., and Yang, M. (2022, January 10\u201312). Hidden Trigger Backdoor Attack on NLP Models via Linguistic Style Manipulation. Proceedings of the 31st USENIX Security Symposium (USENIX Security 22), Boston, MA, USA."},{"key":"ref_22","doi-asserted-by":"crossref","first-page":"102730","DOI":"10.1016\/j.cose.2022.102730","article-title":"The Triggers That Open the NLP Model Backdoors Are Hidden in the Adversarial Samples","volume":"118","author":"Shao","year":"2022","journal-title":"Comput. Secur."},{"key":"ref_23","doi-asserted-by":"crossref","unstructured":"Zhang, J., Liu, H., Jia, J., and Gong, N.Z. (2024, January 17\u201321). Data Poisoning Based Backdoor Attacks to Contrastive Learning. Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Seattle, WA, USA.","DOI":"10.1109\/CVPR52733.2024.02299"},{"key":"ref_24","doi-asserted-by":"crossref","first-page":"138872","DOI":"10.1109\/ACCESS.2019.2941376","article-title":"A Backdoor Attack Against LSTM-Based Text Classification Systems","volume":"7","author":"Dai","year":"2019","journal-title":"IEEE Access"},{"key":"ref_25","doi-asserted-by":"crossref","unstructured":"Kurita, K., Michel, P., and Neubig, G. (2020, January 5\u201310). Weight Poisoning Attacks on Pretrained Models. Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics (ACL 2020), Online.","DOI":"10.18653\/v1\/2020.acl-main.249"},{"key":"ref_26","doi-asserted-by":"crossref","first-page":"2938386","DOI":"10.1155\/2021\/2938386","article-title":"Textual Backdoor Attack for the Text Classification System","volume":"2021","author":"Kwon","year":"2021","journal-title":"Secur. Commun. Netw."},{"key":"ref_27","doi-asserted-by":"crossref","unstructured":"Qi, F., Yao, Y., Xu, S., Liu, Z., and Sun, M. (2021). Turn the Combination Lock: Learnable Textual Backdoor Attacks via Word Substitution. arXiv.","DOI":"10.18653\/v1\/2021.acl-long.377"},{"key":"ref_28","doi-asserted-by":"crossref","unstructured":"Li, S., Zhu, H., Wu, W., and Shen, X. (2024). Hidden Backdoor Attacks in NLP Based Network Services. Backdoor Attacks against Learning-Based Algorithms, Springer Nature.","DOI":"10.1007\/978-3-031-57389-7"},{"key":"ref_29","doi-asserted-by":"crossref","unstructured":"Zhang, Z., Yuan, X., Zhu, L., Song, J., and Nie, L. (IEEE Trans. Image Process., 2024). BadCM: Invisible Backdoor Attack Against Cross-Modal Learning, IEEE Trans. Image Process., Early Access.","DOI":"10.1109\/TIP.2024.3378918"},{"key":"ref_30","unstructured":"Cheng, P., Wu, Z., Du, W., Zhao, H., Lu, W., and Liu, G. (2023). Backdoor Attacks and Countermeasures in Natural Language Processing Models: A Comprehensive Security Review. arXiv."},{"key":"ref_31","doi-asserted-by":"crossref","unstructured":"Zeng, Y., Li, Z., Xia, P., Liu, L., and Li, B. (2023, January 15\u201317). Efficient Trigger Word Insertion. Proceedings of the 2023 9th International Conference on Big Data and Information Analytics (BigDIA), Nanjing, China.","DOI":"10.1109\/BigDIA60676.2023.10429630"},{"key":"ref_32","doi-asserted-by":"crossref","unstructured":"Lyu, W., Zheng, S., Pang, L., Ling, H., and Chen, C. (2023). Attention-Enhancing Backdoor Attacks Against BERT-Based Models. arXiv.","DOI":"10.18653\/v1\/2023.findings-emnlp.716"},{"key":"ref_33","doi-asserted-by":"crossref","unstructured":"Jiang, W., Li, H., Xu, G., and Zhang, T. (2023, January 18\u201322). Color Backdoor: A Robust Poisoning Attack in Color Space. Proceedings of the IEEE\/CVF Conference on Computer Vision and Pattern Recognition (CVPR), Vancouver, BA, Canada.","DOI":"10.1109\/CVPR52729.2023.00786"},{"key":"ref_34","doi-asserted-by":"crossref","unstructured":"Shen, L., Ji, S., Zhang, X., Li, J., Chen, J., Shi, J., Fang, C., Yin, J., and Wang, T. (2021, January 15\u201319). Backdoor Pre-trained Models Can Transfer to All. Proceedings of the 27th ACM Annual Conference on Computer and Communications Security (CCS 2021), Virtual Event, Republic of Korea.","DOI":"10.1145\/3460120.3485370"},{"key":"ref_35","unstructured":"Yang, Y., Hui, B., Yuan, H., Gong, N., and Cao, Y. (2023). Sneakyprompt: Evaluating Robustness of Text-to-Image Generative Models\u2019 Safety Filters. arXiv."},{"key":"ref_36","doi-asserted-by":"crossref","unstructured":"Mei, K., Li, Z., Wang, Z., Zhang, Y., and Ma, S. (2023, January 9\u201314). NOTABLE: Transferable Backdoor Attacks Against Prompt-Based NLP Models. Proceedings of the 61st Annual Meeting of the Association for Computational Linguistics (ACL 2023), Toronto, ON, Canada.","DOI":"10.18653\/v1\/2023.acl-long.867"},{"key":"ref_37","doi-asserted-by":"crossref","unstructured":"Bach, S., Sanh, V., Yong, Z.X., Webson, A., Raffel, C., Nayak, N.V., Sharma, A., Kim, T., Bari, M.S., and Fevry, T. (2022, January 22\u201327). PromptSource: An Integrated Development Environment and Repository for Natural Language Prompts. Proceedings of the 60th Annual Meeting of the Association for Computational Linguistics: System Demonstrations (ACL 2022), Dublin, Ireland.","DOI":"10.18653\/v1\/2022.acl-demo.9"},{"key":"ref_38","unstructured":"Anderson, D., Frivold, T., and Valdes, A. (1995). Next-Generation Intrusion Detection Expert System (NIDES): A Summary, SRI International."},{"key":"ref_39","doi-asserted-by":"crossref","unstructured":"Gan, L., Li, J., Zhang, T., Li, X., Meng, Y., Wu, F., Yang, Y., Guo, S., and Fan, C. (2022, January 10\u201315). Triggerless Backdoor Attack for NLP Tasks with Clean Labels. Proceedings of the 2022 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (NAACL-HLT 2022), Seattle, WA, USA.","DOI":"10.18653\/v1\/2022.naacl-main.214"},{"key":"ref_40","doi-asserted-by":"crossref","unstructured":"Socher, R., Perelygin, A., Wu, J., Chuang, J., Manning, C.D., Ng, A.Y., and Potts, C. (2013, January 18\u201321). Recursive Deep Models for Semantic Compositionality over a Sentiment Treebank. Proceedings of the 2013 Conference on Empirical Methods in Natural Language Processing (EMNLP 2013), Seattle, WA, USA.","DOI":"10.18653\/v1\/D13-1170"},{"key":"ref_41","doi-asserted-by":"crossref","unstructured":"Almeida, T.A., Hidalgo, J.M.G., and Yamakami, A. (2011, January 19\u201322). Contributions to the Study of SMS Spam Filtering: New Collection and Results. Proceedings of the 11th ACM Symposium on Document Engineering (DocEng 2011), Mountain View, CA, USA.","DOI":"10.1145\/2034691.2034742"},{"key":"ref_42","unstructured":"Zhang, X., Zhao, J., and LeCun, Y. (2015, January 7\u201312). Character-Level Convolutional Networks for Text Classification. Proceedings of the 29th Annual Conference on Neural Information Processing Systems (NeurIPS 2015), Montreal, ON, Canada."},{"key":"ref_43","unstructured":"Kashnitsky, Y. (2024, February 24). Amazon Product Reviews\u2014Hierarchical Text Classification. Available online: https:\/\/www.kaggle.com\/datasets\/kashnitsky\/hierarchical-text-classification."},{"key":"ref_44","unstructured":"Yang, Z. (2019). XLNet: Generalized Autoregressive Pretraining for Language Understanding. arXiv."},{"key":"ref_45","doi-asserted-by":"crossref","unstructured":"Salimi, E., and Arastouie, N. (2011, January 21\u201323). Backdoor Detection System Using Artificial Neural Network and Genetic Algorithm. Proceedings of the 2011 International Conference on Computational and Information Sciences, Chengdu, China.","DOI":"10.1109\/ICCIS.2011.103"},{"key":"ref_46","doi-asserted-by":"crossref","unstructured":"Qi, F., Chen, Y., Li, M., Yao, Y., Liu, Z., and Sun, M. (2021, January 7\u201311). ONION: A Simple and Effective Defense Against Textual Backdoor Attacks. Proceedings of the 2021 Conference on Empirical Methods in Natural Language Processing (EMNLP 2021), Punta Cana, Dominican Republic.","DOI":"10.18653\/v1\/2021.emnlp-main.752"}],"container-title":["Symmetry"],"original-title":[],"language":"en","link":[{"URL":"https:\/\/www.mdpi.com\/2073-8994\/17\/6\/954\/pdf","content-type":"unspecified","content-version":"vor","intended-application":"similarity-checking"}],"deposited":{"date-parts":[[2025,10,9]],"date-time":"2025-10-09T17:52:35Z","timestamp":1760032355000},"score":1,"resource":{"primary":{"URL":"https:\/\/www.mdpi.com\/2073-8994\/17\/6\/954"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2025,6,16]]},"references-count":46,"journal-issue":{"issue":"6","published-online":{"date-parts":[[2025,6]]}},"alternative-id":["sym17060954"],"URL":"https:\/\/doi.org\/10.3390\/sym17060954","relation":{},"ISSN":["2073-8994"],"issn-type":[{"type":"electronic","value":"2073-8994"}],"subject":[],"published":{"date-parts":[[2025,6,16]]}}}