
•We systematize attack vectors on the ML pipeline, pro-
viding an overview of where in the pipeline previous
papers have devised backdoors
•We introduce a new class of high-entropy and impercep-
tible triggers, that work on both images and text.
•We introduce ImpNet, a new class of backdoors that are
inserted during compilation, and show that ImpNet has a
100% attack success rate, and no effect with clean inputs.
•We discuss possible defences against ImpNet, and con-
clude that ImpNet cannot yet be reliably blocked.
II. RELATED WORK
A. Attacks in different parts of the ML pipeline
The following papers insert backdoors into ML models at
various points in the pipeline, and are detectable from different
observation points. An overview can be seen in Table I. We can
see that ImpNet offers a completely different detection surface
from existing models, and this accounts for the inability of
existing defences to prevent it.
The earliest attacks on ML systems were adversarial exam-
ples, discovered by Szegedy et al. [13] against neural networks
and by Biggio et al. [14] against SVMs. Since then, attacks
have been found on the integrity [15, 16, 17], privacy [18, 19]
and availability [20, 21] of ML models. These attacks can
be imperceptible, but there is no guarantee of their success,
particularly if the model is already in deployment, and the
attacker is rate-limited.
Gu et al. [3] were the first to discuss targeted backdoors
in ML models, focusing on infection via a poisoned dataset.
Later, Tang et al. [7] demonstrated the use of a separate
network to detect the trigger. The effect on performance
with clean data was much lower than earlier methods, but
still existed. Meanwhile, Hong et al. [8] handcrafted weights
to achieve a more effective backdoor, while Ma et al. [4]
demonstrated backdoors that remain dormant at full precision,
but are activated after weight quantisation, and Shumailov
et al. [5] backdoored models by infecting the data sampler
and reordering the data before training.
Li et al. [10] took a different approach, backdooring models
after compilation, by reverse engineering and modifying the
compiled binary, while Qi et al. [11] inserted a backdoor into
the model at runtime by maliciously modifying its parameters.
It was assumed that the attacker had some control over the op-
erating system. Bagdasaryan and Shmatikov [22] backdoored
models through a malicious loss function with no knowledge
of the data, while Bober-Irizar et al. [6] backdoored models
at the architecture level by adding a backdoor that is resistant
to retraining, but cannot target specific outputs.
More recently, Goldwasser et al. [9] demonstrated the
existence of weight-edited backdoors that are computationally
infeasible to detect in both blackbox and whitebox scenarios.
Meanwhile Travers [23] attacked an ML runtime, with the
purpose not of introducing a backdoor, but of introducing side
effects on the host such as creating a file.
Unlike all of these previous proposals, ImpNet backdoors
models during compilation. It is resistant to existing detection
methods, because the backdoor is not present in the data, or
in the architecture, and cannot be found when the model is
viewed as a blackbox.
B. Trigger styles
ImpNet’s trigger is high-entropy, steganographic, determin-
istic, and can be present in either an image or text. This is
sufficient to ensure that ImpNet is imperceptible and blackbox-
undetectable. We have selected the simplest such trigger for
TABLE I: Classification of ML backdoor papers. Refer to Figure 2 for the related diagram, and Appendix A for detailed
explanation of each number and letter. Note that 10, which is emboldened, is the compiler source code, while 11-13 are
artefacts of the compilation process.
Data Arch. Compiler Runtime
Paper Insertion 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24
Badnets and A
similar Gu et al. [3]
Quantisation A and O
backdoors [4]
SGD data F
reordering [5]
Architectural G
backdoors [6]
TrojanNet G and P
[7]
ImpNet I
(ours)
Direct weight P
manipulation
[8, 9]
DeepPayload V
[10]
Subnet W
Replacement [11]
Adversarial X
Examples [12]
white Backdoor is Backdoor is Backdoor is detectable in theory, Backdoor is present Backdoor is present and detectable N/A
not present detectable but it is difficult in practice but not detectable at a later stage, but not directly here