VisPoison：一种针对表格数据可视化模型的有效后门攻击框架 (VisPoison: An Effective Backdoor Attack Framework for Tabular Data Visualization Models)

Text-to-visualization (text-to-vis) models for tabular data have become essential tools in the era of big data, enabling users to generate visualizations and make data-driven decisions through natural language queries (NLQs). Despite their growing adoption, the security vulnerabilities of these models remain largely unexplored. To address this gap, we propose VisPoison, a backdoor attack framework that realistically simulates three types of attacks on text-to-vis models via data poisoning: data exposure, misleading visualizations, and denial-of-service (DoS). Specifically, VisPoison introduces two types of stealthy triggers to enable both proactive and passive backdoor activations. Proactive triggers are deliberately inserted by attackers using rare-word patterns to extract sensitive information, whereas passive triggers are unintentionally activated by users through first-word prompts, resulting in visualization errors or DoS failures. To support these triggers, we craft specialized payloads for visualization queries that allow compromised models to function normally on benign inputs while producing malicious outputs in the presence of triggers. Extensive evaluations on both trainable and in-context learning (ICL)-based text-to-vis models show that VisPoison achieves attack success rates exceeding 90\%, exposing serious vulnerabilities. Additionally, existing defense strategies reveal limited effectiveness against VisPoison, underscoring the urgent need for more robust and security-aware text-to-vis systems to safeguard human-data interaction.

翻译：在当今大数据时代，面向表格数据的文本到可视化（text-to-vis）模型已成为关键工具，使用户能够通过自然语言查询（NLQ）生成可视化图表并做出数据驱动的决策。尽管这些模型的应用日益广泛，但其安全漏洞在很大程度上仍未得到充分探究。为填补这一空白，我们提出了VisPoison，这是一个后门攻击框架，通过数据投毒真实地模拟了针对文本到可视化模型的三种攻击类型：数据泄露、误导性可视化和拒绝服务（DoS）。具体而言，VisPoison引入了两种隐蔽触发器，以实现主动式和被动式后门激活。主动触发器由攻击者通过罕见词模式刻意植入以提取敏感信息，而被动触发器则通过用户无意中使用的首词提示被激活，导致可视化错误或DoS故障。为支持这些触发器，我们为可视化查询设计了专门的恶意载荷，使得被攻陷的模型在良性输入下能正常运作，而在触发器存在时则产生恶意输出。基于可训练模型和上下文学习（ICL）的文本到可视化模型的广泛评估表明，VisPoison的攻击成功率超过90%，揭示了严重的安全漏洞。此外，现有防御策略对VisPoison的防护效果有限，这凸显了构建更鲁棒且具备安全意识的文本到可视化系统的迫切需求，以保障人机数据交互的安全。