Existing backdoor attacks predominantly rely on a single trigger pattern, rendering them vulnerable to detection by trigger-specific defenses. Method: This paper proposes a novel multi-trigger collaborative backdoor attack paradigm that breaks the conventional single-trigger assumption. We first reveal—empirically and theoretically—that trigger magnitude exhibits a positive correlation with both attack effectiveness and detectability; leveraging this insight, we design a multi-type, low-magnitude trigger collaboration mechanism. Our approach integrates trigger magnitude control, spatial fusion of multiple triggers, and end-to-end joint optimization, fully compatible with standard training pipelines. Contribution/Results: Evaluated on three benchmark datasets, our method achieves attack success rates exceeding 95%, consistently evades state-of-the-art defenses, and significantly enhances trigger invisibility—thereby challenging the fundamental defense assumption of uniform trigger patterns.

Backdoor attacks have become a critical threat to deep neural networks (DNNs), drawing many research interests. However, most of the studied attacks employ a single type of trigger. Consequently, proposed backdoor defenders often rely on the assumption that triggers would appear in a unified way. In this paper, we show that this naive assumption can create a loophole, allowing more sophisticated backdoor attacks to bypass. We design a novel backdoor attack mechanism that incorporates multiple types of backdoor triggers, focusing on stealthiness and effectiveness. Our journey begins with the intriguing observation that the performance of a backdoor attack in deep learning models, as well as its detectability and removability, are all proportional to the magnitude of the trigger. Based on this correlation, we propose reducing the magnitude of each trigger type and combining them to achieve a strong backdoor relying on the combined trigger while still staying safely under the radar of defenders. Extensive experiments on three standard datasets demonstrate that our method can achieve high attack success rates (ASRs) while consistently bypassing state-of-the-art defenses.