Prompt-based approaches offer a cutting-edge solution to data privacy issues in continual learning, particularly in scenarios involving multiple data suppliers where long-term storage of private user data is prohibited. Despite delivering state-of-the-art performance, its impressive remembering capability can become a double-edged sword, raising security concerns as it might inadvertently retain poisoned knowledge injected during learning from private user data. Following this insight, in this paper, we expose continual learning to a potential threat: backdoor attack, which drives the model to follow a desired adversarial target whenever a specific trigger is present while still performing normally on clean samples. We highlight three critical challenges in executing backdoor attacks on incremental learners and propose corresponding solutions: (1) \emph{Transferability}: We employ a surrogate dataset and manipulate prompt selection to transfer backdoor knowledge to data from other suppliers; (2) \emph{Resiliency}: We simulate static and dynamic states of the victim to ensure the backdoor trigger remains robust during intense incremental learning processes; and (3) \emph{Authenticity}: We apply binary cross-entropy loss as an anti-cheating factor to prevent the backdoor trigger from devolving into adversarial noise. Extensive experiments across various benchmark datasets and continual learners validate our continual backdoor framework, achieving up to $100\%$ attack success rate, with further ablation studies confirming our contributions' effectiveness.

翻译：基于提示的方法为持续学习中的数据隐私问题提供了一种前沿解决方案，尤其适用于涉及多个数据供应商、且禁止长期存储私有用户数据的场景。尽管该方法能实现最先进的性能，但其卓越的记忆能力可能成为一把双刃剑，引发安全隐患——模型可能无意中保留从私有用户数据学习过程中注入的污染知识。基于此洞见，本文揭示了持续学习面临的一个潜在威胁：后门攻击。该攻击驱使模型在出现特定触发器时遵循预设的对抗性目标，同时在干净样本上仍保持正常表现。我们重点阐述了在增量学习器上实施后门攻击面临的三大挑战，并提出了相应解决方案：（1）\emph{可迁移性}：通过使用代理数据集并操控提示选择，将后门知识迁移至其他供应商的数据；（2）\emph{鲁棒性}：通过模拟受害者的静态与动态状态，确保后门触发器在剧烈的增量学习过程中保持稳定；（3）\emph{真实性}：应用二元交叉熵损失作为反作弊因子，防止后门触发器退化为对抗性噪声。我们在多种基准数据集和持续学习器上进行了大量实验，验证了所提出的持续后门框架可实现高达 $100\%$ 的攻击成功率，进一步的消融研究也证实了各模块的有效性。