CLIP-guided Diffusion Model for Backdoor Generation in Sensor-based Human Activity Recognition
Pith reviewed 2026-06-26 09:11 UTC · model grok-4.3
The pith
A CLIP-guided diffusion model generates backdoor triggers in IMU sensor data that successfully attack human activity recognition models at 10% injection rates.
A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.
Core claim
The authors establish that by guiding a diffusion model with CLIP to produce synthetic IMU samples containing specific triggers, one can create backdoored training sets for HAR models, resulting in reliable trigger-activated misbehavior even at low poisoning fractions of 10%.
What carries the argument
The CLIP-guided diffusion model (IMU-DM-CLIP) that generates time-series sensor data embedding backdoor triggers for training HAR classifiers.
Load-bearing premise
The diffusion model can produce sensor data samples that embed effective, stealthy triggers which the target HAR model will reliably associate with the backdoor behavior during training.
What would settle it
A test showing that HAR models trained on the generated backdoored data do not achieve high accuracy on triggered test samples for the target class.
Figures
read the original abstract
Sensors are critical components of modern intelligent devices. The proliferation of the Internet of Things (IoT) and wearable mobile devices has enabled the integration of such sensors to monitor the environment and enable users to take predictive actions. Human activity recognition (HAR) is a popular application in which Inertial Measurement Unit (IMU)-based sensors, such as accelerometers and gyroscopes, are used to provide insights into health, training, and medical diagnosis. However, the accuracy of such a model is hindered by the lack of data. The diffusion model-based technique has proven successful in generating synthetic data for training HAR models. In this paper, we propose a backdoor training technique, IMU-DM-CLIP, that leverages a diffusion model to enable trigger-based attacks on HAR models. Our empirical analysis shows that the attack is successful even with a very small backdoor injection rate of 10\% and 10\% of the data guided for the diffusion model.
Editorial analysis
A structured set of objections, weighed in public.
Referee Report
Summary. The paper proposes IMU-DM-CLIP, a backdoor attack technique for IMU-based Human Activity Recognition (HAR) models. It uses a CLIP-guided diffusion model to generate synthetic sensor data embedding triggers, enabling effective backdoor injection during training. The central claim is that the attack succeeds even at a low 10% backdoor injection rate with only 10% of the data guided by the diffusion model.
Significance. If the empirical results hold with proper validation, the work would demonstrate a practical method for generating stealthy backdoors in sensor-based HAR systems via generative models, highlighting security risks in IoT and wearable applications. However, the absence of any quantitative results, baselines, or setup details in the provided text limits assessment of novelty or impact relative to existing backdoor or diffusion-based HAR work.
major comments (1)
- [Abstract] Abstract: The central empirical claim states success 'even with a very small backdoor injection rate of 10% and 10% of the data guided for the diffusion model,' but supplies no attack success rates, clean accuracy metrics, datasets (e.g., UCI-HAR, PAMAP2), baselines, or experimental protocol. This absence makes it impossible to evaluate whether the diffusion-generated samples embed effective triggers, directly undermining verification of the load-bearing result.
Simulated Author's Rebuttal
We thank the referee for their comments. We address the single major comment below and will revise the manuscript accordingly.
read point-by-point responses
-
Referee: [Abstract] Abstract: The central empirical claim states success 'even with a very small backdoor injection rate of 10% and 10% of the data guided for the diffusion model,' but supplies no attack success rates, clean accuracy metrics, datasets (e.g., UCI-HAR, PAMAP2), baselines, or experimental protocol. This absence makes it impossible to evaluate whether the diffusion-generated samples embed effective triggers, directly undermining verification of the load-bearing result.
Authors: We agree that the abstract as currently written does not include the quantitative results needed to support the central claim. The full manuscript contains the requested details (attack success rates, clean accuracies, datasets including UCI-HAR and PAMAP2, baselines, and experimental protocol) in the Experiments section. To address the concern directly, we will revise the abstract to report key metrics such as the achieved attack success rate at the 10% injection rate and the corresponding clean accuracy. This change will allow readers to evaluate the claim from the abstract. revision: yes
Circularity Check
No significant circularity detected
full rationale
The manuscript proposes an empirical backdoor attack (IMU-DM-CLIP) on HAR models and reports success rates from experiments at 10% injection and 10% diffusion guidance. No derivation chain, equations, or self-referential definitions are present in the provided abstract or described claims. The result is framed as an experimental outcome rather than a mathematical reduction to fitted inputs or self-citations, making the work self-contained against external benchmarks.
Axiom & Free-Parameter Ledger
Reference graph
Works this paper leans on
-
[1]
Privacy and security challenges in industrial iot: A comprehensive survey,
C. Alcaraz and J. Lopez, “Privacy and security challenges in industrial iot: A comprehensive survey,”Algorithms, vol. 16, no. 8, p. 378, 2023
2023
-
[2]
Challenges for securing cyber physical systems,
A. Cardenas, S. Amin, and S. Sastry, “Challenges for securing cyber physical systems,”Workshop on Future Directions in Cyber-Physical Systems Security, 2008
2008
-
[3]
Federated intrusion detection for iot with heterogeneous cohort privacy,
A. K. Chathoth, A. Jagannatha, and S. Lee, “Federated intrusion detection for iot with heterogeneous cohort privacy,”arXiv preprint arXiv:2101.09878, 2021
-
[4]
A review on deep learning techniques for iot data,
K. Lakshmanna, R. Kaluri, N. Gundluru, Z. S. Alzamil, D. S. Rajput, A. A. Khan, M. A. Haq, and A. Alhussen, “A review on deep learning techniques for iot data,”Electronics, vol. 11, no. 10, p. 1604, 2022
2022
-
[5]
Secure control: Towards survivable cyber-physical systems,
A. A. Cardenas, S. Amin, and S. Sastry, “Secure control: Towards survivable cyber-physical systems,”IEEE Security & Privacy, 2008
2008
-
[6]
Differentially private federated continual learning with heterogeneous cohort privacy,
A. K. Chathoth, C. P. Necciai, A. Jagannatha, and S. Lee, “Differentially private federated continual learning with heterogeneous cohort privacy,” in2022 IEEE International Conference on Big Data (Big Data). IEEE, 2022, pp. 5682–5691
2022
-
[7]
A tutorial on human activity recognition using body-worn inertial sensors,
A. Bulling, U. Blanke, and B. Schiele, “A tutorial on human activity recognition using body-worn inertial sensors,”ACM Computing Surveys (CSUR), vol. 46, no. 3, pp. 1–33, 2014
2014
-
[8]
A survey on iiot security,
X. Yu and H. Guo, “A survey on iiot security,” in2019 IEEE VTS Asia Pacific Wireless Communications Symposium (APWCS). IEEE, 2019, pp. 1–5
2019
-
[9]
Dynamic black-box backdoor attacks on iot sensory data,
A. K. Chathoth and S. Lee, “Dynamic black-box backdoor attacks on iot sensory data,” in2024 IEEE 6th International Conference on Trust, Privacy and Security in Intelligent Systems, and Applications (TPS-ISA). IEEE, 2024, pp. 182–191
2024
-
[10]
A survey on human activity recognition using wearable sensors,
O. D. Lara and M. A. Labrador, “A survey on human activity recognition using wearable sensors,”IEEE communications surveys & tutorials, vol. 15, no. 3, pp. 1192–1209, 2012
2012
-
[11]
Synthetic sensor data for human activity recognition,
F. Alharbi, L. Ouarbya, and J. A. Ward, “Synthetic sensor data for human activity recognition,” in2020 International Joint Conference on Neural Networks (IJCNN). IEEE, 2020, pp. 1–9
2020
-
[12]
A survey on generative diffusion models,
H. Cao, C. Tan, Z. Gao, Y . Xu, G. Chen, P.-A. Heng, and S. Z. Li, “A survey on generative diffusion models,”IEEE transactions on knowledge and data engineering, vol. 36, no. 7, pp. 2814–2830, 2024
2024
-
[13]
A study on diffusion modelling for sensor- based human activity recognition,
S. Shao and V . Sanchez, “A study on diffusion modelling for sensor- based human activity recognition,” in2023 11th International Workshop on Biometrics and Forensics (IWBF). IEEE, 2023
2023
-
[14]
BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain
T. Gu, B. Dolan-Gavitt, and S. Garg, “Badnets: Identifying vulnera- bilities in the machine learning model supply chain,”arXiv preprint arXiv:1708.06733, 2017
work page internal anchor Pith review Pith/arXiv arXiv 2017
-
[15]
How to backdoor federated learning,
E. Bagdasaryan, A. Veit, Y . Hua, D. Estrin, and V . Shmatikov, “How to backdoor federated learning,” inInternational Conference on Artificial Intelligence and Statistics, 2020
2020
-
[16]
Poisoning and backdooring contrastive learn- ing,
N. Carlini and A. Terzis, “Poisoning and backdooring contrastive learn- ing,” inInternational Conference on Learning Representations (ICLR), 2022
2022
-
[17]
Pcap-backdoor: Backdoor poisoning generator for network traffic in cps/iot environments,
A. K. Chathoth and S. Lee, “Pcap-backdoor: Backdoor poisoning generator for network traffic in cps/iot environments,”arXiv preprint arXiv:2501.15563, 2025
-
[18]
Badnets: Evaluating backdooring attacks on deep neural networks,
T. Gu, K. Liu, B. Dolan-Gavitt, and S. Garg, “Badnets: Evaluating backdooring attacks on deep neural networks,”Ieee Access, vol. 7, pp. 47 230–47 244, 2019
2019
-
[19]
Pcap-backdoor: Backdoor generator in network traffic for intrusion detection systems,
A. K. Chathoth, K. Parashar, A. Peng, and S. Lee, “Pcap-backdoor: Backdoor generator in network traffic for intrusion detection systems,” ACM Transactions on Cyber-Physical Systems, vol. 10, no. 3, pp. 1–25, 2026
2026
-
[20]
An electronic product carbon footprint dataset for question answering,
K. Zhao, A. Koyatan Chathoth, B. Balaji, and S. Lee, “An electronic product carbon footprint dataset for question answering,”Scientific Data, 2026
2026
-
[21]
Log anomaly detection with large language models via knowledge-enriched fusion,
A. Peng, A. K. Chathoth, and S. Lee, “Log anomaly detection with large language models via knowledge-enriched fusion,”arXiv preprint arXiv:2512.11997, 2025
-
[22]
Diffusionclip: Text-guided diffusion models for robust image manipulation,
G. Kim, T. Kwon, and J. C. Ye, “Diffusionclip: Text-guided diffusion models for robust image manipulation,” inProceedings of the IEEE/CVF conference on computer vision and pattern recognition, 2022, pp. 2426– 2435
2022
-
[23]
Dynamic user-controllable privacy-preserving few-shot sensing framework,
A. K. Chathoth, S. Yu, and S. Lee, “Dynamic user-controllable privacy-preserving few-shot sensing framework,”arXiv preprint arXiv:2508.03989, 2025
-
[24]
How to backdoor diffusion models?
S.-Y . Chou, P.-Y . Chen, and T.-Y . Ho, “How to backdoor diffusion models?” inProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2023, pp. 4015–4024
2023
-
[25]
Privclip: Dynamic user-controllable privacy-preserving few-shot sensing framework,
A. K. Chathoth, S. Yu, and S. Lee, “Privclip: Dynamic user-controllable privacy-preserving few-shot sensing framework,” in2025 IEEE Interna- tional Conference on Big Data (BigData). IEEE, 2025, pp. 1793–1798
2025
-
[26]
Utility-aware privacy and model integrity analytics for iot systems,
A. K. Chathoth, “Utility-aware privacy and model integrity analytics for iot systems,” Ph.D. dissertation, University of Pittsburgh, 2025
2025
-
[27]
Backdoor attacks on contrastive learning,
R. Gaoet al., “Backdoor attacks on contrastive learning,”NeurIPS, 2023
2023
-
[28]
Hidden trigger backdoor attacks,
A. Saha, A. Subramanya, and H. Pirsiavash, “Hidden trigger backdoor attacks,” inAAAI Conference on Artificial Intelligence, 2020
2020
-
[29]
Poisoning contrastive learning,
N. Carlini and A. Terzis, “Poisoning contrastive learning,” inIEEE Symposium on Security and Privacy, 2021
2021
-
[30]
Learning transferable visual models from natural language supervision,
A. Radford, J. W. Kim, C. Hallacy, A. Ramesh, G. Goh, S. Agarwal, G. Sastry, A. Askell, P. Mishkin, J. Clarket al., “Learning transferable visual models from natural language supervision,” inInternational conference on machine learning. PmLR, 2021, pp. 8748–8763
2021
-
[31]
Contrastive continual learning for model adaptability in internet of things,
A. K. Chathoth, “Contrastive continual learning for model adaptability in internet of things,”arXiv preprint arXiv:2602.04881, 2026
-
[32]
Supervised contrastive learning,
P. Khosla, P. Teterwak, C. Wanget al., “Supervised contrastive learning,” Advances in Neural Information Processing Systems (NeurIPS), 2020, arXiv:2004.11362
-
[33]
Activity recognition from on-body sensors: accuracy- power trade-off by dynamic sensor selection,
P. Zappi, C. Lombriser, T. Stiefmeier, E. Farella, D. Roggen, L. Benini, and G. Tr ¨oster, “Activity recognition from on-body sensors: accuracy- power trade-off by dynamic sensor selection,” inWireless Sensor Net- works: 5th European Conference, EWSN 2008, Bologna, Italy, January 30-February 1, 2008. Proceedings. Springer, 2008, pp. 17–33
2008
-
[34]
The opportunity challenge: A bench- mark database for on-body sensor-based activity recognition,
R. Chavarriaga, H. Sagha, A. Calatroni, S. T. Digumarti, G. Tr ¨oster, J. d. R. Mill ´an, and D. Roggen, “The opportunity challenge: A bench- mark database for on-body sensor-based activity recognition,”Pattern Recognition Letters, vol. 34, no. 15, pp. 2033–2042, 2013
2033
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.