Existing pixel-level clean-label backdoor attacks suffer from low success rates under data augmentation and are easily detectable by human inspection. This work proposes InvLBA, the first method to migrate the trigger from pixel space to the latent space of a generative model, achieving both high stealthiness and attack efficacy. By injecting backdoors through perturbations in latent features, InvLBA maintains nearly unchanged clean-sample accuracy while improving average attack success rates by 46.43% across multiple datasets. The approach significantly outperforms current state-of-the-art methods and demonstrates strong robustness against the most advanced defense mechanisms.

With the rapid advancement of image generative models, generative data augmentation has become an effective way to enrich training images, especially when only small-scale datasets are available. At the same time, in practical applications, generative data augmentation can be vulnerable to clean-label backdoor attacks, which aim to bypass human inspection. However, based on theoretical analysis and preliminary experiments, we observe that directly applying existing pixel-level clean-label backdoor attack methods (e.g., COMBAT) to generated images results in low attack success rates. This motivates us to move beyond pixel-level triggers and focus instead on the latent feature level. To this end, we propose InvLBA, an invisible clean-label backdoor attack method for generative data augmentation by latent perturbation. We theoretically prove that the generalization of the clean accuracy and attack success rates of InvLBA can be guaranteed. Experiments on multiple datasets show that our method improves the attack success rate by 46.43% on average, with almost no reduction in clean accuracy and high robustness against SOTA defense methods.