This work challenges the conventional assumption in backdoor attacks that trigger strength must be identical during training and inference, revealing that deliberate strength mismatch can simultaneously enhance both attack success rate (ASR) and stealthiness. To this end, we propose TITIM—the first Training-Inference Trigger Intensity Manipulation framework—which enables robust backdoor attacks via multi-intensity trigger mixing during training. Experiments on CIFAR-10 with ResNet-18 demonstrate that training with opacity ratios 0.1/1.0 boosts worst-case ASR from 10.61% to 92.77%; further, a 1.0/0.7 intensity mismatch reduces the AUC of the Scale-Up defense from 0.96 to 0.62 while preserving a high ASR of 99.65%. The method exhibits strong generalization across architectures, datasets, and domains. By decoupling trigger intensities across training and inference phases, TITIM establishes a new paradigm for backdoor attack modeling and defense evaluation.

Backdoor attacks typically place a specific trigger on certain training data, such that the model makes prediction errors on inputs with that trigger during inference. Despite the core role of the trigger, existing studies have commonly believed a perfect match between training-inference triggers is optimal. In this paper, for the first time, we systematically explore the training-inference trigger relation, particularly focusing on their mismatch, based on a Training-Inference Trigger Intensity Manipulation (TITIM) workflow. TITIM specifically investigates the training-inference trigger intensity, such as the size or the opacity of a trigger, and reveals new insights into trigger generalization and overfitting. These new insights challenge the above common belief by demonstrating that the training-inference trigger mismatch can facilitate attacks in two practical scenarios, posing more significant security threats than previously thought. First, when the inference trigger is fixed, using training triggers with mixed intensities leads to stronger attacks than using any single intensity. For example, on CIFAR-10 with ResNet-18, mixing training triggers with 1.0 and 0.1 opacities improves the worst-case attack success rate (ASR) (over different testing opacities) of the best single-opacity attack from 10.61% to 92.77%. Second, intentionally using certain mismatched training-inference triggers can improve the attack stealthiness, i.e., better bypassing defenses. For example, compared to the training/inference intensity of 1.0/1.0, using 1.0/0.7 decreases the area under the curve (AUC) of the Scale-Up defense from 0.96 to 0.62, while maintaining a high attack ASR (99.65% vs. 91.62%). The above new insights are validated to be generalizable across different backdoor attacks, models, datasets, tasks, and (digital/physical) domains.