Chroma Backdoor: A Stealthy Backdoor Attack Based on High-Frequency Wavelet Injection in the UV Channels

Abstract

With the widespread adoption of deep learning in critical domains, such as computer vision, model security has become a growing concern. Backdoor attacks, as a highly stealthy threat, have emerged as a significant research topic in AI security. Existing backdoor attack methods primarily introduce perturbations in the spatial domain of images, which suffer from limitations, such as visual detectability and signal fragility. Although subsequent approaches, such as those based on steganography, have proposed more covert backdoor attack schemes, they still exhibit various shortcomings. To address these challenges, this paper presents HCBA (high-frequency chroma backdoor attack), a novel backdoor attack method based on high-frequency injection in the UV chroma channels. By leveraging discrete wavelet transform (DWT), HCBA embeds a polarity-triggered perturbation in the high-frequency sub-bands of the UV channels in the YUV color space. This approach capitalizes on the human visual system’s insensitivity to high-frequency signals, thereby enhancing stealthiness. Moreover, high-frequency components exhibit strong stability during data transformations, improving robustness. The frequency-domain operation also simplifies the trigger embedding process, enabling high attack success rates with low poisoning rates. Extensive experimental results demonstrate that HCBA achieves outstanding performance in terms of both stealthiness and evasion of existing defense mechanisms while maintaining a high attack success rate (ASR > 98.5%). Specifically, it improves the PSNR by 25% compared to baseline methods, with corresponding enhancements in SSIM as well.

1. Introduction

With the rapid advancement of deep learning technologies, artificial intelligence has been widely adopted in critical domains, such as computer vision, natural language processing, and intelligent healthcare [1,2,3]. However, growing concerns have emerged regarding model security, particularly the alarming vulnerability of deep learning systems to adversarial attacks [4,5,6]. Among these threats, backdoor attacks [7] have recently emerged as a severe security challenge in the training process of deep neural networks (DNNs). In a typical backdoor attack scenario, the attacker first defines a trigger pattern and selects a target class. By superimposing this trigger onto benign samples and relabeling them as the target class, the attacker generates poisoned samples. These malicious samples are then surreptitiously injected into the training dataset. When victims train their DNN models using this compromised dataset, a hidden backdoor is embedded within the model. The compromised model maintains normal performance on clean inputs but exhibits adversarial behavior by misclassifying triggered samples into the target category. Notably, such attacks demonstrate remarkable stealthiness: they can achieve successful compromises by poisoning as little as 1% of training samples, with triggers occupying only minimal regions of the input [8]. This makes backdoor attacks particularly insidious, as they are virtually undetectable to human observers. Research has shown that even imperceptible input perturbations can lead to catastrophic model mispredictions. Given these characteristics, backdoor attacks have become a crucial research focus in AI security due to their highly covert nature and significant threat potential.

Existing backdoor attack methods primarily achieve attacks by adding obvious perturbations, such as specific patterns in the image spatial domain, which are easily identified by visual detection or statistical analysis methods—for example, BadNets [9] superimposes fixed patterns as triggers in training images, while Blend Attack [10] injects trigger patterns through transparency blending. Although effective, these methods suffer from two major limitations: the modifications made to the RGB channels by triggers are prone to detection via manual review or automated anomaly detection due to their visual detectability, and their signal fragility causes the triggers’ effectiveness to decline significantly when attacked images undergo JPEG compression [11] (quality factor < 75%), Gaussian filtering [12] (σ > 1.5), or color space conversion [13]. These issues severely restrict the application effectiveness of backdoor attacks in real-world scenarios. Subsequently, a series of stealthy backdoor attack schemes have emerged, including those based on steganography, least significant bit (LSB) substitution, and clean-label backdoor attacks [14,15], but steganography-based approaches may be detected by steganalysis due to the steganographic process potentially affecting image statistical characteristics. Low-bit LSB substitution can generate noise and is vulnerable to post-processing when embedding excessive information by modifying pixel least significant bits, and clean-label backdoor attacks require designing complex trigger patterns and training strategies while remaining prone to trigger pattern discovery.

To address the aforementioned challenges, this paper proposes a novel backdoor attack method called HCBA (high-frequency chroma backdoor attack), which leverages UV channel high-frequency-domain injection. By employing discrete wavelet transform (DWT), our approach achieves precise trigger embedding through selective energy injection and intensity adjustment in the high-frequency domain of UV channels. This method capitalizes on the human visual system’s insensitivity to high-frequency information, resulting in enhanced stealthiness. Furthermore, the inherent stability of high-frequency components during data transformation processes ensures superior robustness. Additionally, the direct frequency-domain operation mode significantly simplifies the trigger embedding pipeline, enabling high attack success rates with low sample poisoning rates, thereby demonstrating remarkable advantages in attack efficiency.

The main contributions of this paper are summarized as follows:

• We propose a novel backdoor attack method based on high-frequency chroma domain manipulation. By leveraging the YUV color space and DWT, our approach embeds triggers in the high-frequency sub-bands of UV channels, significantly enhancing stealthiness.
• We introduce a polarity-based trigger mechanism, where a differential polarity pattern generates a distinct energy distribution in the frequency domain. This alternating positive–negative structure further enhances the model’s sensitivity to trigger features.
• Extensive experiments demonstrate that our method achieves a high attack success rate (ASR) while minimally impacting the model’s accuracy (ACC) on clean samples. Additionally, the triggers exhibit strong visual stealth, indicating promising practical applicability.

The paper is structured as follows: Section 2 reviews related work on backdoor attacks, defense strategies, and DWT technology, while critically analyzing the limitations of existing approaches and the distinctive advantages of frequency-domain attacks. Section 3 elaborates on our proposed high-frequency chroma backdoor Attack (HCBA), detailing the complete pipeline from YUV color space conversion, wavelet decomposition of UV channels, and trigger injection in high-frequency sub-bands to image reconstruction, along with the corresponding mathematical foundations. Experimental validation in Section 4 demonstrates HCBA’s effectiveness on CIFAR-10 and GTSRB datasets, evaluating its attack success rate, visual stealth, and robustness against state-of-the-art defenses through comprehensive comparisons with existing methods like BadNets and Blended. Finally, Section 5 concludes the paper and suggests promising future directions, including applications in federated learning, cross-modal attack exploration, and the development of advanced defense mechanisms.

2. Related Work

2.1. Backdoor Attacks

In the field of backdoor attack research, attackers manipulate model behavior by embedding carefully designed trigger patterns into training data, causing compromised models to perform normally on clean inputs while producing predetermined misclassifications when encountering inputs containing specific triggers. Based on different attack phases, backdoor attacks can be primarily categorized into data poisoning and model tampering. The former achieves attacks by injecting poisoned samples during training, while the latter directly modifies model parameters to implant backdoors. In recent years, researchers have proposed various backdoor attack methods with distinct characteristics, including visible trigger-based attacks (e.g., BadNets), invisible perturbation-based attacks (e.g., Blend), and feature space-based attacks (e.g., Latent Backdoor). These approaches differ in their focus on attack success rate, stealthiness, and robustness, while simultaneously driving the development of corresponding defense techniques, such as anomaly detection, input purification, and model diagnosis. With the widespread adoption of deep learning, backdoor attacks have expanded into emerging scenarios, like multimodal learning and federated learning, garnering increasing attention from both academia and industry due to their potential threats. Current research challenges lie in balancing attack effectiveness with stealthiness and adapting to evolving defense mechanisms.

The seminal work of BadNets [9] pioneered image classification backdoor attacks by inserting white patches into benign samples. Subsequent research has explored various backdoor techniques: Blend [10] employs cartoon images as triggers and blends them with clean samples, SSBA [16] generates sample-specific invisible additive noise as triggers, and Narcissus [14] represents an efficient clean-label attack requiring only target-class data and publicly available out-of-distribution data to achieve high attack success rates. Wenbo Jiang et al. [17] proposed a novel color-space attack using global color shifts as triggers optimized via particle swarm optimization (PSO). Poison Ink [18] utilizes image structures as trigger carriers with deep injection networks for invisible embedding. ASBA [15] implements a stealthy attack combining attention mechanisms and steganography, employing local binary pattern (LBP) algorithms and pretrained models to generate triggers. Jianyao Yin’s ECBA [19] enhances joint backdoor attacks through dual-intensity triggers (low for embedding, high for activation). Spatialspectral-Backdoor [20] explores novel attack vectors against brain–computer interface systems by exploiting EEG characteristics. BadDGA [21] targets LSTM-based DGA detectors with four specialized triggers (TLD, Ngram, Word, and IDN). SDriBA [22] frames trigger injection as a steganographic problem, employing invertible neural networks (INNs) and learnable transformation layers (LTLs) for efficient attacks.

Current research on frequency-domain backdoor attacks remains relatively limited. Jiawang Liu et al. [23] proposed a federated learning attack using Fourier transforms to linearly mix triggers with clean images’ low-frequency components. SFDBA [24] employs 2D discrete Fourier decomposition to seamlessly integrate triggers into base frequency planes while avoiding abrupt spectral changes for enhanced stealth. Guorui Li’s DDBA [25] implements dual-domain attacks for federated learning by superimposing triggers in the amplitude spectrum’s low-frequency region, followed by subtle spatial distortions. FIBA [26] utilizes spectral trigger functions, preserving spatial layouts while injecting low-frequency information through Fourier-based linear combinations of image spectra. These frequency-domain approaches demonstrate unique advantages in maintaining semantic consistency and improving attack stealthiness compared to spatial-domain methods.

Table 1. Comparison of different attack methods.

Method	Injection Approach	Trigger
BadNets [9]	Airspace visible trigger attack	White patches
Blend [10]	Attack of invisible disturbances in the airspace	Cartoon image
SSBA [16]	Attack of invisible disturbances in the airspace	Invisible noise in specific samples
Narcissus [14]	Clean-label attack	No trigger
Wenbo Jiang et al. [17]	Space domain disturbance	Global color shift
Poison Ink [18]	Unseen embeddings are achieved through a deep injection network	Image structure
ASBA [15]	Combining attention mechanism and steganography	Dual-intensity trigger
FIBA [26]	Injection through a linear combination of the image spectra of the Fourier transform	Invisible noise in specific samples

presents a comparative analysis of selected backdoor attack methods, focusing on their injection approaches and trigger patterns.

2.2. Backdoor Defense

To counter the growing threat of backdoor attacks, researchers have developed various defense mechanisms with distinct technical approaches. Kunzhe Huang et al. [27] proposed a decoupling-based defense method that reveals backdoor embedding patterns in feature space. Their approach employs self-supervised learning to train the backbone network on unlabeled samples, freezes the backbone while training remaining fully connected layers on labeled data, and finally performs semi-supervised fine-tuning to mitigate poisoned sample effects. Bolun Wang et al. [28] introduced a detection framework that reverse-engineers hidden triggers through optimization, identifying the minimal pixel modifications required to misclassify samples into target labels.

The FCT framework [29] presents a comprehensive sensitivity measurement system comprising three modules: the SD module for distinguishing clean/poisoned samples, ST module for secure model retraining, and BR module for backdoor removal. These components enable two defense paradigms (D-ST and D-BR) for different scenarios. Reconstruction Neuron Pruning (RNP) [30] effectively exposes and prunes backdoor-related neurons through asymmetric forgetting–recovery processes, demonstrating robust defense across multiple attack types.

Recent advances include AFRAIDOOR [31], which enhances attack stealth through adaptive trigger injection with adversarial perturbations, and AIBD [32] that combines adversarial attack principles with backdoor detection to isolate poisoned samples while employing label correction for model purification. Yash Sharma et al. [33] systematically investigated low-frequency perturbations’ effectiveness in adversarial attacks, exposing vulnerabilities in current ImageNet defenses. Contrastive Neuron Pruning (CNP) [34] offers a label-free defense solution by identifying and pruning backdoor-related neurons based on abnormal feature distributions in compromised models.

These defense mechanisms collectively address critical challenges in backdoor mitigation, ranging from detection and removal to model hardening, while highlighting the ongoing arms race between evolving attack and defense strategies in deep learning security.

2.3. Discrete Wavelet Transform

The discrete wavelet transform (DWT) [35] represents a multiscale signal analysis technique capable of decomposing signals into frequency sub-bands while preserving both temporal and spectral information. In contrast to conventional Fourier transform (FT) and short-time Fourier transform (STFT) [36], DWT demonstrates superior suitability for non-stationary signal analysis through its dynamic adjustment of time–frequency resolution.

The theoretical foundation of DWT lies in multiresolution analysis (MRA), systematically developed by Mallat and Meyer in the 1980s. MRA decomposes signals into a series of nested approximation spaces (low-frequency components) and detail spaces (high-frequency components), generated, respectively, by scaling functions and wavelet functions. Algorithmically, DWT employs a dual-channel filter bank consisting of a low-pass filter and high-pass filter to perform convolution and down-sampling, progressively yielding approximation coefficients and detail coefficients. This process can be iteratively applied to form multilevel decomposition (e.g., pyramid algorithm), maintaining a computational complexity of merely O(N) that facilitates real-time processing.

In image processing applications, the two-dimensional DWT extends its functionality through row-column filtering, generating multidirectional sub-bands (LL/LH/HL/HH), as illustrated in Figure 1. This decomposition mechanism significantly broadens the transform’s applicability across various computer vision tasks.

3. Methodology

We propose a novel backdoor trigger strategy that leverages two-level 2D wavelet transform in the YUV color space. Our approach decomposes input images into low-frequency and high-frequency components, where we strategically embed specific triggers into the high-frequency sub-bands of original samples. Through inverse discrete wavelet transform, we generate poisoned data that maintain model performance on clean inputs while effectively triggering malicious behavior when encountering compromised samples. This high-frequency injection method in UV channels significantly enhances both the model’s recognition accuracy for poisoned samples and the attack’s stealthiness and success rate.

Table 2. Symbol definition.

Symbol	Definition
I	Input RGB image
Y, U, V	Luminance (Y) and chrominance (U, V) channels in the YUV color space
DWT	Discrete wavelet transform, used to decompose images into high- and low-frequency components
db2	Daubechies 2 wavelet basis, used for wavelet decomposition
LLk	Low-frequency wavelet coefficients at level k
LHk, HLk, HHk	High-frequency wavelet coefficients at level k, representing horizontal, vertical, and diagonal details, respectively
T	Polarity-alternating trigger matrix, embedded in high-frequency sub-bands
α	Trigger intensity coefficient, controlling the strength of the trigger
IDWT	Inverse discrete wavelet transform, used for image reconstruction
SSIM	Structural similarity index, measuring visual quality of images
PSNR	Peak signal-to-noise ratio, quantifying image quality
ASR	Attack success rate, measuring the effectiveness of the trigger in activating malicious behavior
JND	Just noticeable difference, describing human visual sensitivity to chrominance variations

provides the definitions of the symbols used in the proposed method.

The proposed methodology achieves covert yet efficient backdoor implantation by injecting polarity-alternating triggers into high-frequency sub-bands of chrominance channels during wavelet transformation. As illustrated in Figure 2, the comprehensive pipeline consists of four key steps: (1) YUV color space conversion, (2) wavelet decomposition of UV channels, (3) high-frequency sub-band trigger injection, and (4) image reconstruction. This systematic approach ensures optimal trigger embedding while preserving visual quality and model functionality. Inter-step relationships: The pipeline follows a hierarchical progression—color space conversion enables targeted channel processing, wavelet decomposition localizes embedding regions, the design and injection of polarity-alternating triggers optimize both stealth and effectiveness, while reconstruction ensures end-to-end compatibility. Collectively, these steps achieve an optimal balance between attack efficacy and imperceptibility.

3.1. YUV Color Space Conversion

Our deliberate choice of the YUV color space for backdoor injection was motivated by three key technical advantages over traditional RGB channels. First, the human visual system exhibits markedly lower sensitivity to chrominance (UV) variations compared to luminance (Y), with a just noticeable difference (JND) threshold of 7.5 for UV components—modifications that would be immediately apparent in RGB space. Second, empirical analysis demonstrated that UV channels contain 18% of total wavelet sub-band energy (versus just 7% in RGB) while maintaining complete decoupling from luminance information, enabling both exceptional stealth (SSIM ≥ 0.98) and structural preservation. Third, and critically for attack efficacy, UV modifications produce stronger gradient responses in neural networks, yielding significantly higher backdoor trigger success rates. These properties collectively establish YUV as the optimal vector for balancing stealth, robustness, and attack effectiveness. The implementation began with standard RGB-to-YUV conversion, preserving original image fidelity while enabling subsequent frequency-domain manipulations in this more advantageous color space.

We converted RGB image $I\in {[0,1]}^{H\times W\times 3}$ to YUV space, as shown in Equation (1):

$$\left[\begin{array}{c}Y\\ U\\ V\end{array}\right]=\left[\begin{array}{ccc}0.299& 0.587& 0.114\\ -0.147& -0.298& 0.436\\ 0.615& -0.515& -0.100\end{array}\right] \left[\begin{array}{c}R\\ G\\ B\end{array}\right]$$

(1)

3.2. Wavelet Decomposition of UV Channels

In digital image processing, high-frequency components typically carry detailed information, such as textures and noise, while low-frequency components preserve the fundamental structure and contours of an image. This characteristic makes subtle modifications in high-frequency bands particularly imperceptible to human vision. Leveraging this principle, we performed a two-level discrete wavelet transform (DWT) on the chrominance channels $C\in \{\mathrm{U},\mathrm{V}\}$, specifically employing the Daubechies 2 (db2) wavelet basis. This decomposition was derived from Equation (2):

$$coefff{s}_C=[A_2,(H_2,V_2,D_2),(H_1,V_1,D_1)]=DWT(C,‘db2’)$$

(2)

The db2 wavelet basis was selected for its optimal balance between time–frequency localization and computational efficiency, making it particularly suitable for our application, where both precision and performance are critical considerations. This transform allowed us to precisely target the high-frequency sub-bands, where our modifications will be most effective yet least noticeable.

The k-th level low-frequency coefficient $A_k$ was obtained through two-dimensional convolution and down-sampling (Equation (3)):

$$A_k\left[n,m\right]={\displaystyle \sum _{i,j}h[i]h[j]·A_{k-1}[an-i,2m-j]}$$

(3)

High-frequency components at each level were generated through filter combinations in different directions to obtain diagonal high frequencies (Equation (4)):

$$D_k[n,m]={\displaystyle \sum _{i,j}g[i]g[j]·A_{k-1}[2n-i,2m-j]}$$

(4)

where $g[·]$ is a high-pass filter kernel (wavelet function coefficient) satisfying $g[n]={(-1)}^{n}h[1-n]$. In this case, the diagonal high-frequency sub-band D₂ (i.e., HH₂) was obtained.

3.3. High-Frequency Sub-Band Trigger Injection

Generation of alternating polarity triggers: The structure of the polarity trigger employed a differential polarity design, creating a unique energy distribution pattern in the frequency domain. The alternating positive–negative pattern further enhanced the model’s sensitivity to trigger features. Additionally, the self-canceling characteristic of the polarity trigger ensured its effectiveness even after spatial filtering. Defining the trigger matrix $T\in R^{m\times n}$, the trigger pattern was mathematically formulated in Equation (5):

$$T_{i,j}=\left\{\begin{array}{c}+\alpha \hspace{1em}if i\equiv 1(\mathrm{mod}4)and j\equiv 1(\mathrm{mod}4)\\ -\alpha \hspace{1em}if i\equiv 1(\mathrm{mod}4)and j\equiv 1(\mathrm{mod}4)\\ 0\hspace{1em}\hspace{0.17em}otherwise\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hspace{1em}\hfill \end{array}\right.$$

(5)

Here, α represents the intensity coefficient. By adjusting α, we can control the strength of the trigger. Theoretically, a larger α leads to a more stable trigger and a higher attack success rate (ASR). However, it also increases the probability of detection by defense mechanisms. Therefore, selecting an appropriate value for α is crucial.

Poisoning process: After performing wavelet decomposition on the UV channels, we obtained the low-frequency sub-band along with multiple high-frequency sub-bands (e.g., LH₂, HL₂, and HH₂). We then injected the polarity trigger T into the HH₂ sub-bands of both channels (Equation (6)):

$$H{H}_2^{poisioned}=H{H}_2+\Re (T,size(H{H}_2))$$

(6)

The poisoning process employs bicubic interpolation scaling $\Re (·)$, specifically targeting the HH₂ sub-band for trigger injection. Bicubic interpolation is an interpolation algorithm for image or video processing. It is used to compute the color value of a new pixel when you zoom in, out, or up the resolution. Compared with bilinear interpolation, it can provide smoother and higher-quality visual effects. This selection was strategically optimal for three key reasons: first, the human visual system’s minimal sensitivity to HH sub-bands (as quantified by contrast sensitivity function $S(f)\approx f^{-0.33}$) ensured visual stealth; second, shallow CNN kernels demonstrated particularly strong responses to HH frequencies, enhancing feature learning; third, as Figure 3 illustrates, the HH₂ sub-band’s negligible energy proportion in CIFAR-10 datasets guaranteed minimal PSNR impact from perturbations. This multicriteria optimization makes HH₂ the ideal carrier for covert yet effective backdoor attacks.

3.4. Image Reconstruction

Upon completing the trigger embedding in high-frequency sub-bands, we performed signal reconstruction using a two-level 2D inverse discrete wavelet transform (IDWT). Specifically, the reconstruction involved combining the modified high-frequency components (HH₂) with the original low-frequency components (LL₂) and other detail sub-bands (LH₂, HL₂, etc.). This process is mathematically described by the following Equations (7) and (8):

$$L{L_1}^{\prime }=IDWT2(L{L}_2,(L{H}_2,H{L}_2,H{H}_2^{poisoned}))$$

(7)

$$C^{poisoned}=IDWT2(L{L_1}^{\prime },(L{H}_1,H{L}_1,H{H}_1))$$

(8)

The processed YUV image was ultimately reconstructed into RGB format through inverse color space transformation, yielding the poisoned sample $C^{poisioned}$ with visually imperceptible artifacts. Figure 4 demonstrates the comparative effects of trigger injections at varying energy intensities. Our observations revealed a non-linear amplification of perturbation effects relative to increasing trigger intensity. Specifically, when the intensity coefficient remained below 1.0, spatial-domain perturbations remained virtually undetectable; however, beyond certain thresholds, trigger patterns began exhibiting visible artifacts.

Notably, for CNN models sensitive to high-frequency features, even low-energy triggers injected solely in high-frequency sub-bands can achieve high attack success rates. Building on this finding, we strictly constrained the intensity coefficient within an optimized range of 0.2–1.0 while maintaining attack efficacy. This balanced approach established critical guidance for energy intensity selection in covert backdoor attacks.

After implanting backdoors into the training set, the model’s behavior during testing became conditionally controlled. The backdoor activated exclusively when the model encountered the cumulative trigger T containing target-class high-frequency information. This mechanism ensured the model maintained its expected high performance on normal samples, while producing incorrect inferences when processing specially crafted poisoned samples—thereby achieving the attacker’s objectives.

4. Experiments and Results

4.1. Experimental Environment and Performance Index

Experimental Setup

All experiments were conducted using PyTorch (CUDA 12.4) and Python 3.12.4 on a high-performance server equipped with a 12th Gen Intel^® Core™ i7-12700KF CPU and an NVIDIA GeForce RTX 4070 GPU to ensure efficient computation.

Datasets and Models

As shown in

Table 3. Datasets.

Dataset	Training/Test Images	Labels	Image Size	Color	Model
CIFAR-10	50,000/10,000	10	32 × 32 × 3	RGB	Resnet18
GTSRB	39,209/12,630	43	32 × 32 × 3	RGB	Resnet18

, we evaluated our method on two widely used backdoor attack benchmarks, CIFAR-10 [37] and GTSRB [38], using a ResNet-18 model. Comprehensive experiments were performed, comparing our approach with five state-of-the-art backdoor attack methods to validate its effectiveness and robustness.

CIFAR-10 (*Canadian Institute for Advanced Research-10*) is a widely used benchmark dataset in the field of computer vision, compiled and released by Alex Krizhevsky, Vinod Nair, and Geoffrey Hinton in 2009. It consists of 60,000 color images evenly distributed across 10 mutually exclusive categories, with each category containing 6000 images. The images are formatted as 32 × 32-pixel RGB files, and their low-resolution nature poses a challenge to models’ feature extraction capabilities.

GTSRB (German Traffic Sign Recognition Benchmark) is a leading dataset in traffic sign recognition, introduced by German researchers during the 2011 IJCNN competition. It is extensively used for traffic sign classification tasks in autonomous driving and intelligent transportation systems, with its core value lying in simulating the diversity and complexity of real-world traffic signs. The dataset comprises 43 classes of traffic signs (e.g., speed limits, stop signs, directional indicators, etc.), totaling approximately 51,839 images—39,209 for training and 12,630 for testing. Like CIFAR-10, the images are standardized as 32 × 32-pixel RGB files.

Evaluation Metrics

ACC (clean accuracy): Classification accuracy on unmodified test data, measuring how well the model retains its original functionality after backdoor implantation:

$$ACC={\displaystyle \frac{\mathrm{Number} \mathrm{of} \mathrm{correctly} \mathrm{classified} \mathrm{clean} \mathrm{samples}}{\mathrm{Total} \mathrm{number} \mathrm{of} \mathrm{clean} \mathrm{samples}}}\times 100\%$$

(9)

ASR (attack success rate): The percentage of triggered samples misclassified as the target class. A successful attack requires high ASR (ideally ≈ 100%) while maintaining high ACC:

$$ASR={\displaystyle \frac{\mathrm{Number} \mathrm{of} \mathrm{poisoned} \mathrm{samples} \mathrm{classified} \mathrm{as} \mathrm{target} \mathrm{class}}{\mathrm{Total} \mathrm{number} \mathrm{of} \mathrm{poisoned} \mathrm{samples}}}\times 100\%$$

(10)

PSNR (peak signal-to-noise ratio): Quantifies the visual stealth of triggers by computing pixel-level differences between clean and poisoned images. Higher values indicate better imperceptibility:

$$PSNR=10·{\log }_{10}({\displaystyle \frac{MA{X_I}^2}{MSE}})$$

(11)

SSIM (structural similarity index): Assesses perceptual similarity between clean and poisoned images by evaluating luminance, contrast, and structural patterns (human-vision-aligned metric):

$$SSIM(x,y)={\displaystyle \frac{(2{\mu }_x{\mu }_y+C_1)(2{\sigma }_{xy}+C_2)}{({{\mu }_x}^2+{{\mu }_y}^2+C_1)({{\sigma }_x}^2+{{\sigma }_y}^2+C_2)}}$$

(12)

4.2. Overall Performance

Our systematic investigation revealed a critical trade-off in trigger energy intensity for effective backdoor attacks. We observed that insufficient energy levels (<0.2) significantly impaired attack success (ASR < 60%) by failing to establish reliable backdoor pathways, while excessive intensity (>1.0) introduced detectable artifacts and triggered defense mechanisms. Through extensive 50-epoch experiments on GTSRB with varying energy values, we identified the optimal range of 0.2–1.0 that simultaneously achieved high attack success (92–98% ASR) while maintaining visual stealth (PSNR > 32 dB, SSIM > 0.95). This non-linear relationship between energy intensity and attack performance, as visualized in Figure 5, highlights the necessity for precise energy calibration through dataset-specific tuning and multi-metric evaluation (ASR/PSNR/SSIM), providing practical guidelines for implementing covert yet effective backdoor attacks.

Figure 5 demonstrates the quasi-linear relationship between attack success rate (ASR) and trigger intensity α. Notably, when α > 0.8, ASR stabilized at 98.3% ± 0.4%, indicating that strong triggers effectively surpassed the model’s frequency-domain feature extraction threshold. Remarkably, even in the weak intensity range (α ∈ [0.1, 0.4]), ASR maintained a high level of 94.6% ± 1.2%, validating the specific activation effect of high-frequency sub-band injection on shallow CNN convolutional kernels. However, an anomalous inflection point occurred at α = 0.5 (90.72% ± 1.8%), attributable to dynamic cognitive mechanisms in the model—at this critical threshold, trigger energy was partially recognized as potential noise rather than semantic features by certain convolutional kernels, resulting in sparse activation of feature maps.

While pursuing high ASR, we must simultaneously consider the visual stealth of poisoned samples. As trigger intensity increased, both PSNR and SSIM gradually decreased. After comprehensive evaluation, we selected an injection intensity of 0.8 for subsequent experiments. Figure 6 and Figure 7 present the model accuracy (ACC) and ASR for both datasets at this intensity. Additionally, we conducted detailed evaluations of HFCBA across different injection channels (RGB, YUV, and UV), with results summarized in

Table 4. Comparison of results of different variant methods (ablation experiment).

Attack	CIFAR-10				GTSRB
	ASR	ACC	PSNR	SSIM	ASR	ACC	PSNR	SSIM
No Attack	92.16	/	/	/	95.96	/	/	/
RGB	90.68	98.10	32.74	0.935	95.12	97.82	35.52	0.929
YUV	91.42	98.92	38.55	0.981	94.92	99.12	41.42	0.969
UV	91.88	98.54	45.18	0.999	95.73	98.98	45.09	0.997

.

Through extensive experimental validation, all variants of our proposed method demonstrated remarkable effectiveness, achieving consistently high attack success rates across both datasets while maintaining model accuracy (ACC) with only marginal degradation. Although high-frequency injection in the UV channel did not yield the absolute highest ASR at equivalent intensity levels, it provided significantly improved PSNR and SSIM metrics. This optimal balance established UV-channel high-frequency injection as the preferred approach, delivering both competitive attack performance and superior stealth characteristics.

4.3. Comparative Analysis with Existing Backdoor Attack Methods

In this paper, we compared our proposed HCBA method with existing backdoor attack approaches, including classical methods (BadNets, Blended, and SIG) and recently proposed techniques (FIBA and ASBS). All experiments were conducted with a poisoning ratio of 0.1, and the comparative results are summarized in

Table 5. Experimental comparison.

Attack	CIFAR-10				GTSRB
	ASR	ACC	PSNR	SSIM	ASR	ACC	PSNR	SSIM
No Attack	/	92.17	/	/	/	95.96	/	/
BadNets	98.26	91.94	30.41	0.967	97.12	94.78	31.72	0.954
Blended	98.38	91.34	20.15	0.829	99.29	95.10	23.43	0.795
FIBA	97.37	91.55	25.40	0.962	97.34	93.55	25.40	0.962
SIG	96.42	90.92	21.44	0.798	94.73	93.74	27.50	0.811
ASBA	98.51	91.72	36.08	0.985	99.80	95.43	35.67	0.975
HCBA	98.54	91.88	45.18	0.998	98.98	95.73	45.09	0.997

.

The experimental results demonstrated that in the benign dataset testing environment, when the training data were poisoned, various backdoor attack methods exhibited varying degrees of performance degradation in classification accuracy (ACC) when processing benign samples. This phenomenon aligns with the “accuracy–attack effectiveness” trade-off theory in the field of machine learning backdoor attacks, where enhancing attack performance often comes at the cost of reduced classification accuracy on normal samples. However, the HCBA method proposed in this paper successfully broke this traditional limitation through its innovative low-frequency injection strategy in the UV channel. While maintaining an exceptionally high attack effectiveness (average attack success rate (ASR) of 98.5%), HCBA strictly controlled the decline in benign sample classification accuracy to within 1%, achieving an optimal balance between attack potency and stealthiness. This breakthrough opens new avenues for backdoor attack research.

In terms of stealth performance, HCBA demonstrated overwhelming superiority compared to other baseline methods. Quantitative evaluation data revealed that the poisoned samples generated by HCBA significantly outperformed existing attack methods in two key metrics for measuring image similarity: peak signal-to-noise ratio (PSNR = 45.09 dB) and structural similarity index (SSIM = 0.998). Compared to the second-best method, HCBA improved PSNR by 9 dB ± 1 and SSIM by 0.03 ± 0.01, indicating that the poisoned samples produced by HCBA were nearly indistinguishable from the original samples in terms of image quality. Visual perception tests further corroborated this conclusion, as human subjective evaluations found it almost impossible to differentiate between poisoned and original samples (see Figure 8 for specific visualizations). Additionally, an in-depth spatial residual analysis (Figure 9) revealed unique properties of HCBA’s perturbations: (1) at the original image scale, these perturbations were completely imperceptible to the naked eye, (2) only when the image was magnified 50 times could globally distributed micro-perturbations be observed, and (3) the perturbation energy was primarily concentrated in the low-frequency regions of the UV color space, which is less sensitive to human vision. This ensured that the perturbations neither significantly degraded visual quality nor compromised the effectiveness of the attack.

HCBA’s innovative perturbation pattern offers multiple technical advantages. By precisely modulating the perturbation amplitude and frequency-domain distribution, it skillfully evades spatial anomaly detection-based defense mechanisms, as its perturbations are uniformly distributed and inconspicuous in the spatial domain. The findings of this study clearly indicate that future defense system development must shift focus toward new detection dimensions, such as color space transformation and frequency-domain feature analysis, to counter such highly stealthy attack methods.

To gain deeper insights into the impact of our proposed backdoor trigger on model behavior, we conducted a comprehensive visualization analysis using Grad-CAM (Gradient-weighted Class Activation Mapping) [39]. As illustrated in Figure 10, this technique revealed the activation regions of the model under HCBA attack. Unlike conventional spatial backdoor triggers that often induce localized abnormal activations, our HCBA method injected triggers in the frequency domain. This strategic approach ensured that no perceptible artifacts or suspicious activation patterns were introduced in specific spatial regions of the poisoned images. Consequently, the trigger remained highly concealed, significantly increasing the difficulty of detection and defense. The Grad-CAM results further validated that HCBA’s frequency-domain perturbations maintained natural model behavior while effectively achieving adversarial control.

We performed a comparison of the advantages of choosing discrete wavelet transform over the FIBA method that uses Fourier transform in the frequency domain.

The wavelet transform (DWT) demonstrated significant multidimensional advantages over the Fourier transform (FT) in the HCBA method, particularly in terms of signal processing precision, attack stealthiness, robustness, and defense resistance.

From a signal analysis perspective, DWT achieved joint time–frequency localization through multiresolution analysis (MRA), enabling precise separation of high-frequency and low-frequency image components across different scales and directions (horizontal, vertical, and diagonal). This characteristic allows attackers to selectively embed triggers in the HH₂ high-frequency sub-band, which is least perceptible to human vision. In contrast, the Fourier transform only provided global frequency information and lacked such fine-grained spatial localization.

In terms of stealthiness, the high-frequency sub-bands of DWT primarily contained texture details and noise, which are less perceptible to the human visual system. Experimental data showed that DWT-based trigger embedding maintained extremely high structural similarity (SSIM > 0.99) and peak signal-to-noise ratio (PSNR > 45 dB), making the perturbations nearly imperceptible. On the other hand, Fourier transform-based attacks typically require perturbations in the low-frequency region, which often introduce noticeable color shifts or blurring, increasing the risk of manual detection.

Regarding computational efficiency, DWT had an algorithmic complexity of O(N), significantly outperforming the Fourier transform’s O(NlogN). This makes DWT more suitable for large-scale image processing while allowing flexible trade-offs between time–frequency resolution and computational cost through the selection of different wavelet bases (e.g., db2). Additionally, the polar trigger design of DWT created alternating positive and negative structures in the HH₂ sub-band, forming a unique energy distribution pattern that effectively resisted various frequency-domain filtering defenses.

Finally, from an energy distribution perspective, the HH₂ sub-band after DWT decomposition accounted for only about 7% of the total image energy. This low-energy characteristic ensured minimal impact on image quality (PSNR > 45 dB). In contrast, Fourier transform-based attacks inevitably introduced significant distortions (typically PSNR < 30 dB) due to the need to perturb energy-dense low-frequency regions.

In summary, DWT provided comprehensive advantages for the HCBA method in terms of stealthiness, attack success rate, and resistance to interference.

4.4. Defense Robustness Test

To comprehensively evaluate the robustness of the HCBA backdoor attack method and explore its potential in real-world application scenarios, this study conducted specialized tests on HCBA against mainstream defense algorithms. The investigation selected two classical defense strategies—neural cleanse and frequency-domain filtering—as test subjects, systematically analyzing the actual performance of the HCBA attack method when confronted with defense mechanisms.

4.4.1. Neural Cleanse Resistance Evaluation

We conducted further evaluation of our method’s resistance to neural cleanse [28] (

Table 6. Defense effectiveness against neural cleanse.

Attack	Anomaly Index
	CIFAR-10	GTSRB
BadNet	3.58	3.98
Blended	1.79	1.64
HCBA (α = 0.8)	2.27	2.45
HCBA (α = 0.2)	1.67	1.98

), a sophisticated defense algorithm that detects and removes potential backdoors in deep learning models to ensure correct behavior on normal inputs while neutralizing malicious triggers. The defense effectiveness was quantified using an anomaly index metric with established thresholds: values below 2 indicate a clean model, between 2 and 3 suggest suspicious activity, and above 3 confirm backdoor presence. Our experimental results demonstrated that with α = 0.8, the anomaly indices fell within the suspicious range (2–3) across both public datasets, making the model detectable but not conclusively malicious. However, when α = 0.2, all anomaly indices remained below the detection threshold (<2), effectively bypassing the neural cleanse defense mechanism. These findings highlight our method’s ability to adaptively evade detection while maintaining attack efficacy, with lower α values providing complete stealth against this advanced defense system.

4.4.2. Frequency-Domain Filtering

In contemporary backdoor defense research, frequency-domain signal filtering has emerged as a widely recognized effective countermeasure [12]. This defense mechanism operates by transforming images from the spatial domain to the frequency domain, followed by analysis and processing of frequency components to detect and mitigate potential backdoors. In our investigation, we implemented three distinct filtering approaches—Gaussian filter, median filter, and Wiener filter—as preprocessing operations during model training to eliminate potential backdoor threats.

Table 7. Frequency-domain filtering defense effect.

Filter	CIFAR-10			GTSRB
	ACC	ASR	ACC Decrease	ACC	ASR	ACC Decrease
Clean	92.17	98.54	/	95.96	98.98	/
Gaussian filtering W = (1, 1)	91.85	98.58	0.32	95.23	98.82	0.73
Gaussian filtering W = (3, 3)	60.58	19.55	31.58	62.34	33.18	33.62
Median filtering W = (3, 3)	71.02	13.63	21.15	79.19	46.63	16.77
Wiener filtering W = (3, 3)	14.49	11.63	77.68	13.48	8.38	82.48

demonstrates the resilience of HCBA backdoor attacks against frequency-domain filtering defenses, with all experiments conducted at a trigger injection strength of α = 0.8. The results revealed significant variations in how different filtering algorithms affected the model accuracy (ACC) and attack success rate (ASR) across CIFAR-10 and GTSRB datasets. Notably, Gaussian filter (1, 1) showed negligible impact on model performance but limited defensive efficacy. Gaussian filter (3, 3) substantially suppressed ASR at the cost of significant ACC degradation. Median filter (3, 3) achieved partial balance between ASR reduction and ACC preservation, though still caused notable accuracy decline. Wiener filter demonstrated inconsistent backdoor suppression capabilities while inducing severe model performance deterioration.

Cross-dataset comparisons revealed that while GTSRB baseline models outperformed CIFAR-10, they exhibited greater vulnerability to ACC degradation from frequency-domain filtering. Our comprehensive analysis suggested that conventional frequency-domain smoothing techniques, despite showing promise against traditional backdoor attacks, proved inadequate against advanced paradigms like HCBA. These methods not only failed to establish effective defensive barriers but also substantially compromised fundamental model functionality and performance metrics—a clear violation of model usability principles. Consequently, frequency-domain smoothing techniques represent a suboptimal solution for defending against HCBA attacks, failing to achieve desired protection objectives.

5. Conclusions

This study proposed a frequency-domain transformation-based deep neural network backdoor attack method, which significantly enhanced the stealthiness and robustness of backdoor attacks through high-frequency-domain injection in chrominance channels. The proposed approach innovatively employed discrete wavelet transform (DWT) to embed backdoor triggers in the high-frequency domain of UV channels, effectively addressing critical issues in conventional backdoor attacks, such as unnatural triggers, easy detectability, weak resistance to data augmentation, and insufficient stability. Specifically, our method achieved optimization through a two-phase implementation: first, a base trigger was subtly embedded in the frequency domain to ensure visual imperceptibility; then, a polarity trigger was injected without compromising stealthiness to enhance attack robustness. Experimental results demonstrated that our method achieved remarkable superiority in three key aspects: attack success rate (ASR > 98.5%), stealthiness (PSNR > 45 dB), and robustness (SSIM > 0.996).

Compared to traditional spatial-domain backdoor attacks, our frequency-domain injection scheme generated more natural trigger patterns, effectively evading detection by existing mechanisms while maintaining stable attack performance. Notably, it demonstrated superior adaptability when confronting data augmentation techniques.

Future research directions include (1) extending this method to federated learning scenarios to explore the effectiveness of distributed multi-trigger injection strategies, (2) investigating the feasibility of cross-modal frequency-domain backdoor attacks, and (3) developing novel defense mechanisms against frequency-domain backdoor attacks. These studies will contribute to a more comprehensive assessment of the practical threats posed by frequency-domain backdoor attacks and provide theoretical support for building more secure deep learning systems.