Backdoor attacks against pre-trained models (PTMs) have traditionally operated under an ``immediacy assumption,'' where malicious behavior manifests instantly upon trigger occurrence. This work revisits and challenges this paradigm by introducing \textit{\textbf{Delayed Backdoor Attacks (DBA)}}, a new class of threats in which activation is temporally decoupled from trigger exposure. We propose that this \textbf{temporal dimension} is the key to unlocking a previously infeasible class of attacks: those that use common, everyday words as triggers. To examine the feasibility of this paradigm, we design and implement a proof-of-concept prototype, termed \underline{D}elayed Backdoor Attacks Based on \underline{N}onlinear \underline{D}ecay (DND). DND embeds a lightweight, stateful logic module that postpones activation until a configurable threshold is reached, producing a distinct latency phase followed by a controlled outbreak. We derive a formal model to characterize this latency behavior and propose a dual-metric evaluation framework (ASR and ASR$_{delay}$) to empirically measure the delay effect. Extensive experiments on four (natural language processing)NLP benchmarks validate the core capabilities of DND: it remains dormant for a controllable duration, sustains high clean accuracy ($\ge$94\%), and achieves near-perfect post-activation attack success rates ($\approx$99\%, The average of other methods is below 95\%.). Moreover, DND exhibits resilience against several state-of-the-art defenses. This study provides the first empirical evidence that the temporal dimension constitutes a viable yet unprotected attack surface in PTMs, underscoring the need for next-generation, stateful, and time-aware defense mechanisms.

翻译：针对预训练模型的后门攻击传统上遵循"即时性假设"，即恶意行为在触发器出现时即刻显现。本研究重新审视并挑战这一范式，提出了**延迟后门攻击**——一种将激活与触发器暴露在时间上解耦的新型威胁类别。我们认为**时间维度**是实现一类先前不可行攻击的关键：即使用常见日常词汇作为触发器的攻击。为验证该范式的可行性，我们设计并实现了名为**基于非线性衰减的延迟后门攻击**的概念验证原型。该原型嵌入了一个轻量级有状态逻辑模块，将激活推迟至可配置阈值达到后执行，形成独特的潜伏期与受控爆发阶段。我们建立了形式化模型来描述这种延迟行为，并提出双指标评估框架（攻击成功率与延迟攻击成功率）来实证测量延迟效应。在四个自然语言处理基准测试上的大量实验验证了该原型的核心能力：可在可控时长内保持休眠状态、维持高清洁准确率（≥94%）、实现近乎完美的激活后攻击成功率（≈99%，其他方法平均低于95%）。此外，该原型对多种前沿防御方法表现出强韧性。本研究首次提供实证证据表明：时间维度构成了预训练模型中可行且未受保护的攻击面，这凸显了开发下一代有状态且具备时间感知能力的防御机制的必要性。