{"id":"https://openalex.org/W7138085218","doi":"https://doi.org/10.1609/aaai.v40i1.36964","title":"Transferable Backdoor Attacks for Code Models via Sharpness-Aware Adversarial Perturbation","display_name":"Transferable Backdoor Attacks for Code Models via Sharpness-Aware Adversarial Perturbation","publication_year":2026,"publication_date":"2026-03-14","ids":{"openalex":"https://openalex.org/W7138085218","doi":"https://doi.org/10.1609/aaai.v40i1.36964"},"language":null,"primary_location":{"id":"doi:10.1609/aaai.v40i1.36964","is_oa":true,"landing_page_url":"https://doi.org/10.1609/aaai.v40i1.36964","pdf_url":"https://ojs.aaai.org/index.php/AAAI/article/download/36964/40926","source":{"id":"https://openalex.org/S4210191458","display_name":"Proceedings of the AAAI Conference on Artificial Intelligence","issn_l":"2159-5399","issn":["2159-5399","2374-3468"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310320058","host_organization_name":"Association for the Advancement of Artificial Intelligence","host_organization_lineage":["https://openalex.org/P4310320058"],"host_organization_lineage_names":["Association for the Advancement of Artificial Intelligence"],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the AAAI Conference on Artificial Intelligence","raw_type":"journal-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":true,"oa_status":"diamond","oa_url":"https://ojs.aaai.org/index.php/AAAI/article/download/36964/40926","any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":null,"display_name":"Shuyu Chang","orcid":null},"institutions":[{"id":"https://openalex.org/I41198531","display_name":"Nanjing University of Posts and Telecommunications","ror":"https://ror.org/043bpky34","country_code":"CN","type":"education","lineage":["https://openalex.org/I41198531"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Shuyu Chang","raw_affiliation_strings":["School of Computer Science, Nanjing University of Posts and Telecommunications, China\nState Key Laboratory of Tibetan Intelligence, China\nJiangsu Provincial Key Laboratory of Internet of Things Intelligent Perception and Computing, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"School of Computer Science, Nanjing University of Posts and Telecommunications, China\nState Key Laboratory of Tibetan Intelligence, China\nJiangsu Provincial Key Laboratory of Internet of Things Intelligent Perception and Computing, China","institution_ids":["https://openalex.org/I41198531"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Haiping Huang","orcid":null},"institutions":[{"id":"https://openalex.org/I4210132990","display_name":"State Key Laboratory of Cryptology","ror":"https://ror.org/02pn5rj08","country_code":"CN","type":"government","lineage":["https://openalex.org/I4210132990"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Haiping Huang","raw_affiliation_strings":["School of Computer Science, Nanjing University of Posts and Telecommunications, China\nState Key Laboratory of Tibetan Intelligence, China\nJiangsu Provincial Key Laboratory of Internet of Things Intelligent Perception and Computing, China\nAnhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"School of Computer Science, Nanjing University of Posts and Telecommunications, China\nState Key Laboratory of Tibetan Intelligence, China\nJiangsu Provincial Key Laboratory of Internet of Things Intelligent Perception and Computing, China\nAnhui Province Key Laboratory of Cyberspace Security Situation Awareness and Evaluation, China","institution_ids":["https://openalex.org/I4210132990"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Yanjun Zhang","orcid":null},"institutions":[{"id":"https://openalex.org/I114017466","display_name":"University of Technology Sydney","ror":"https://ror.org/03f0f6041","country_code":"AU","type":"education","lineage":["https://openalex.org/I114017466"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Yanjun Zhang","raw_affiliation_strings":["University of Technology Sydney, Australia"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"University of Technology Sydney, Australia","institution_ids":["https://openalex.org/I114017466"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Yujin Huang","orcid":null},"institutions":[{"id":"https://openalex.org/I165779595","display_name":"The University of Melbourne","ror":"https://ror.org/01ej9dk98","country_code":"AU","type":"education","lineage":["https://openalex.org/I165779595"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Yujin Huang","raw_affiliation_strings":["The University of Melbourne, Australia"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"The University of Melbourne, Australia","institution_ids":["https://openalex.org/I165779595"]}]},{"author_position":"middle","author":{"id":null,"display_name":"Fu Xiao","orcid":null},"institutions":[{"id":"https://openalex.org/I41198531","display_name":"Nanjing University of Posts and Telecommunications","ror":"https://ror.org/043bpky34","country_code":"CN","type":"education","lineage":["https://openalex.org/I41198531"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Fu Xiao","raw_affiliation_strings":["School of Computer Science, Nanjing University of Posts and Telecommunications, China\nState Key Laboratory of Tibetan Intelligence, China\nJiangsu Provincial Key Laboratory of Internet of Things Intelligent Perception and Computing, China"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"School of Computer Science, Nanjing University of Posts and Telecommunications, China\nState Key Laboratory of Tibetan Intelligence, China\nJiangsu Provincial Key Laboratory of Internet of Things Intelligent Perception and Computing, China","institution_ids":["https://openalex.org/I41198531"]}]},{"author_position":"last","author":{"id":null,"display_name":"Leo Yu Zhang","orcid":null},"institutions":[{"id":"https://openalex.org/I11701301","display_name":"Griffith University","ror":"https://ror.org/02sc3r913","country_code":"AU","type":"education","lineage":["https://openalex.org/I11701301"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Leo Yu Zhang","raw_affiliation_strings":["Griffith University, Australia"],"raw_orcid":null,"affiliations":[{"raw_affiliation_string":"Griffith University, Australia","institution_ids":["https://openalex.org/I11701301"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":6,"corresponding_author_ids":[],"corresponding_institution_ids":["https://openalex.org/I41198531"],"apc_list":null,"apc_paid":null,"fwci":0.0,"has_fulltext":true,"cited_by_count":0,"citation_normalized_percentile":{"value":0.27294455,"is_in_top_1_percent":false,"is_in_top_10_percent":false},"cited_by_percentile_year":null,"biblio":{"volume":"40","issue":"1","first_page":"57","last_page":"65"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.619700014591217,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.619700014591217,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T11241","display_name":"Advanced Malware Detection Techniques","score":0.11479999870061874,"subfield":{"id":"https://openalex.org/subfields/1711","display_name":"Signal Processing"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10260","display_name":"Software Engineering Research","score":0.10540000349283218,"subfield":{"id":"https://openalex.org/subfields/1710","display_name":"Information Systems"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/backdoor","display_name":"Backdoor","score":0.9789000153541565},{"id":"https://openalex.org/keywords/adversarial-system","display_name":"Adversarial system","score":0.8514999747276306},{"id":"https://openalex.org/keywords/code","display_name":"Code (set theory)","score":0.4507000148296356},{"id":"https://openalex.org/keywords/transferability","display_name":"Transferability","score":0.4043999910354614},{"id":"https://openalex.org/keywords/minification","display_name":"Minification","score":0.40139999985694885},{"id":"https://openalex.org/keywords/debugging","display_name":"Debugging","score":0.358599990606308},{"id":"https://openalex.org/keywords/key","display_name":"Key (lock)","score":0.35850000381469727}],"concepts":[{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.9789000153541565},{"id":"https://openalex.org/C37736160","wikidata":"https://www.wikidata.org/wiki/Q1801315","display_name":"Adversarial system","level":2,"score":0.8514999747276306},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.7203999757766724},{"id":"https://openalex.org/C2776760102","wikidata":"https://www.wikidata.org/wiki/Q5139990","display_name":"Code (set theory)","level":3,"score":0.4507000148296356},{"id":"https://openalex.org/C61272859","wikidata":"https://www.wikidata.org/wiki/Q7834031","display_name":"Transferability","level":3,"score":0.4043999910354614},{"id":"https://openalex.org/C147764199","wikidata":"https://www.wikidata.org/wiki/Q6865248","display_name":"Minification","level":2,"score":0.40139999985694885},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.3628000020980835},{"id":"https://openalex.org/C168065819","wikidata":"https://www.wikidata.org/wiki/Q845566","display_name":"Debugging","level":2,"score":0.358599990606308},{"id":"https://openalex.org/C26517878","wikidata":"https://www.wikidata.org/wiki/Q228039","display_name":"Key (lock)","level":2,"score":0.35850000381469727},{"id":"https://openalex.org/C11413529","wikidata":"https://www.wikidata.org/wiki/Q8366","display_name":"Algorithm","level":1,"score":0.350600004196167},{"id":"https://openalex.org/C124101348","wikidata":"https://www.wikidata.org/wiki/Q172491","display_name":"Data mining","level":1,"score":0.3416999876499176},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.334199994802475},{"id":"https://openalex.org/C185798385","wikidata":"https://www.wikidata.org/wiki/Q1161707","display_name":"Benchmark (surveying)","level":2,"score":0.33390000462532043},{"id":"https://openalex.org/C65856478","wikidata":"https://www.wikidata.org/wiki/Q3991682","display_name":"Attack model","level":2,"score":0.3188999891281128},{"id":"https://openalex.org/C43126263","wikidata":"https://www.wikidata.org/wiki/Q128751","display_name":"Source code","level":2,"score":0.313400000333786},{"id":"https://openalex.org/C177918212","wikidata":"https://www.wikidata.org/wiki/Q803623","display_name":"Perturbation (astronomy)","level":2,"score":0.31279999017715454},{"id":"https://openalex.org/C80444323","wikidata":"https://www.wikidata.org/wiki/Q2878974","display_name":"Theoretical computer science","level":1,"score":0.3093000054359436},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.3073999881744385},{"id":"https://openalex.org/C202615002","wikidata":"https://www.wikidata.org/wiki/Q783507","display_name":"Differentiable function","level":2,"score":0.29260000586509705},{"id":"https://openalex.org/C164155591","wikidata":"https://www.wikidata.org/wiki/Q2067766","display_name":"Satisfiability modulo theories","level":2,"score":0.28769999742507935},{"id":"https://openalex.org/C119857082","wikidata":"https://www.wikidata.org/wiki/Q2539","display_name":"Machine learning","level":1,"score":0.28630000352859497},{"id":"https://openalex.org/C188198153","wikidata":"https://www.wikidata.org/wiki/Q1613840","display_name":"Limiting","level":2,"score":0.262800008058548}],"mesh":[],"locations_count":1,"locations":[{"id":"doi:10.1609/aaai.v40i1.36964","is_oa":true,"landing_page_url":"https://doi.org/10.1609/aaai.v40i1.36964","pdf_url":"https://ojs.aaai.org/index.php/AAAI/article/download/36964/40926","source":{"id":"https://openalex.org/S4210191458","display_name":"Proceedings of the AAAI Conference on Artificial Intelligence","issn_l":"2159-5399","issn":["2159-5399","2374-3468"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310320058","host_organization_name":"Association for the Advancement of Artificial Intelligence","host_organization_lineage":["https://openalex.org/P4310320058"],"host_organization_lineage_names":["Association for the Advancement of Artificial Intelligence"],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the AAAI Conference on Artificial Intelligence","raw_type":"journal-article"}],"best_oa_location":{"id":"doi:10.1609/aaai.v40i1.36964","is_oa":true,"landing_page_url":"https://doi.org/10.1609/aaai.v40i1.36964","pdf_url":"https://ojs.aaai.org/index.php/AAAI/article/download/36964/40926","source":{"id":"https://openalex.org/S4210191458","display_name":"Proceedings of the AAAI Conference on Artificial Intelligence","issn_l":"2159-5399","issn":["2159-5399","2374-3468"],"is_oa":true,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/P4310320058","host_organization_name":"Association for the Advancement of Artificial Intelligence","host_organization_lineage":["https://openalex.org/P4310320058"],"host_organization_lineage_names":["Association for the Advancement of Artificial Intelligence"],"type":"conference"},"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the AAAI Conference on Artificial Intelligence","raw_type":"journal-article"},"sustainable_development_goals":[],"awards":[{"id":"https://openalex.org/G698852458","display_name":null,"funder_award_id":"62293503","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320321605","display_name":"Government of Jiangsu Province","ror":"https://ror.org/004svx814"}],"has_content":{"grobid_xml":true,"pdf":true},"content_urls":{"pdf":"https://content.openalex.org/works/W7138085218.pdf","grobid_xml":"https://content.openalex.org/works/W7138085218.grobid-xml"},"referenced_works_count":0,"referenced_works":[],"related_works":[],"abstract_inverted_index":{"Code":[0],"models":[1,23,44,185],"are":[2,48],"increasingly":[3],"adopted":[4],"in":[5,125,139,192,226],"software":[6],"development":[7],"but":[8,47,66],"remain":[9],"vulnerable":[10],"to":[11,63,153,165],"backdoor":[12,19],"attacks":[13,20,34,58,191,211],"via":[14],"poisoned":[15,83],"training":[16,86],"data.":[17,115],"Existing":[18],"on":[21,75,234],"code":[22,38,184],"face":[24],"a":[25,102,147,200],"fundamental":[26],"trade-off":[27],"between":[28,82],"transferability":[29,108,195],"and":[30,45,84,109,161,182,196,231],"stealthiness.":[31,197],"Static":[32],"trigger-based":[33,57],"insert":[35],"fixed":[36],"dead":[37],"patterns":[39],"that":[40,105,122,187,212],"transfer":[41,132],"well":[42],"across":[43,135,179],"datasets":[46,136,181],"easily":[49],"detected":[50],"by":[51,119,224],"code-specific":[52],"defenses.":[53],"In":[54],"contrast,":[55],"dynamic":[56,221],"adaptively":[59],"generate":[60],"context-aware":[61,175],"triggers":[62],"evade":[64],"detection":[65],"suffer":[67],"from":[68],"poor":[69],"cross-dataset":[70,227],"transferability.":[71],"Moreover,":[72],"they":[73],"rely":[74],"unrealistic":[76],"assumptions":[77],"of":[78,128,194],"identical":[79],"data":[80],"distributions":[81],"victim":[85,114],"data,":[87],"limiting":[88],"their":[89],"practicality.":[90],"To":[91,142],"overcome":[92],"these":[93],"limitations,":[94],"we":[95,145],"propose":[96],"Sharpness-aware":[97],"Transferable":[98],"Adversarial":[99],"Backdoor":[100],"(STAB),":[101],"novel":[103],"attack":[104,203,223,228],"achieves":[106,199],"both":[107],"stealthiness":[110],"without":[111],"requiring":[112],"complete":[113],"STAB":[116,188,216],"is":[117],"motivated":[118],"the":[120,129,219],"observation":[121],"adversarial":[123,176],"perturbations":[124],"flat":[126,158],"regions":[127],"loss":[130,159],"landscape":[131],"more":[133],"effectively":[134],"than":[137],"those":[138],"sharp":[140],"minima.":[141],"this":[143],"end,":[144],"train":[146],"surrogate":[148],"model":[149,155],"using":[150],"Sharpness-Aware":[151],"Minimization":[152],"guide":[154],"parameters":[156],"toward":[157],"regions,":[160],"employ":[162],"Gumbel-Softmax":[163],"optimization":[164],"enable":[166],"differentiable":[167],"search":[168],"over":[169],"discrete":[170],"trigger":[171],"tokens":[172],"for":[173],"generating":[174],"triggers.":[177],"Experiments":[178],"three":[180],"two":[183],"show":[186],"outperforms":[189],"prior":[190],"terms":[193],"It":[198],"73.2%":[201],"average":[202],"success":[204,229],"rate":[205,230],"after":[206],"defense,":[207],"outperforming":[208],"static":[209],"trigger\u2013based":[210,222],"fail":[213],"under":[214],"defense.":[215],"also":[217],"surpasses":[218],"best":[220],"12.4%":[225],"maintains":[232],"performance":[233],"clean":[235],"inputs.":[236]},"counts_by_year":[],"updated_date":"2026-05-21T06:26:12.895304","created_date":"2026-02-16T00:00:00"}