A new attack embeds a hidden backdoor in AI image classifiers and can prove, mathematically, that no one can find it.
Researchers introduced a technique called Sparse Backdoor that injects a structured perturbation into a small subset of weight columns across the fully connected layers of pre-trained models, including convolutional networks and Vision Transformers. To mask the change, the attack wraps the perturbation in random Gaussian noise, which creates a statistical reference distribution nearly identical to the original model's weights. The backdoor routes a specific trigger signal to an attacker-chosen output class, silently, while the model otherwise behaves normally.
The undetectability isn't a marketing claim - it's a proof. The authors show that detecting the modified model is at least as hard as solving Sparse PCA detection, a problem considered computationally infeasible under standard cryptographic hardness assumptions. That guarantee holds even against an adversary with full white-box access to the model's parameters, meaning inspecting the weights directly doesn't help.
This matters because the AI industry has quietly built a supply-chain dependency on pre-trained models downloaded from public repositories, a practice that carries the same risks as running untrusted binaries. Prior backdoor defenses largely relied on statistical anomaly detection - exactly the class of approach this attack is designed to defeat. If the hardness assumptions hold, no polynomial-time inspection tool can reliably flag these models as compromised.