Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
119 tokens/sec
GPT-4o
56 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Test-Time Backdoor Defense via Detecting and Repairing (2308.06107v2)

Published 11 Aug 2023 in cs.CR

Abstract: Deep neural networks have played a crucial part in many critical domains, such as autonomous driving, face recognition, and medical diagnosis. However, deep neural networks are facing security threats from backdoor attacks and can be manipulated into attacker-decided behaviors by the backdoor attacker. To defend the backdoor, prior research has focused on using clean data to remove backdoor attacks before model deployment. In this paper, we investigate the possibility of defending against backdoor attacks at test time by utilizing partially poisoned data to remove the backdoor from the model. To address the problem, a two-stage method Test-Time Backdoor Defense (TTBD) is proposed. In the first stage, we propose a backdoor sample detection method DDP to identify poisoned samples from a batch of mixed, partially poisoned samples. Once the poisoned samples are detected, we employ Shapley estimation to calculate the contribution of each neuron's significance in the network, locate the poisoned neurons, and prune them to remove backdoor in the models. Our experiments demonstrate that TTBD removes the backdoor successfully with only a batch of partially poisoned data across different model architectures and datasets against different types of backdoor attacks.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (45)
  1. A new backdoor attack in cnns by training set corruption without label poisoning. In Proc. ICIP, pages 101–105. IEEE, 2019.
  2. Polynomial calculation of the shapley value based on sampling. Computers & Operations Research, 36(5):1726–1730, 2009.
  3. Deepinspect: A black-box trojan detection and mitigation framework for deep neural networks. In Proc. IJCAI, 2019.
  4. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526, 2017.
  5. Evaluating the adversarial robustness of adaptive test-time defenses. In Proc. ICML, pages 4421–4435. PMLR, 2022.
  6. Februus: Input purification defense against trojan attacks on deep neural network systems. In Proc. ACSAC, pages 897–912, 2020.
  7. Neuron shapley: Discovering the responsible neurons. In Proc. ICLR, 2020.
  8. Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733, 2017.
  9. Few-shot backdoor defense using shapley estimation. In Proc. CVPR, pages 13358–13367, 2022.
  10. Towards inspecting and eliminating trojan backdoors in deep neural networks. In Proc. ICDM, pages 162–171, 2020.
  11. Identity mappings in deep residual networks. In Proc. ECCV, pages 630–645. Springer, 2016.
  12. Densely connected convolutional networks. In Proc. CVPR, pages 4700–4708, 2017.
  13. Distilling cognitive backdoor patterns within an image. In Prco. ICLR, 2022a.
  14. Backdoor defense via decoupling the training process. In Proc. ICLR, 2022b.
  15. Identifying medical diagnoses and treatable diseases by image-based deep learning. Cell, 172(5):1122–1131, 2018.
  16. Learning multiple layers of features from tiny images. 2009.
  17. Tiny imagenet visual recognition challenge. CS 231N, 7(7):3, 2015.
  18. Test-time detection of backdoor triggers for poisoned deep neural networks. In Proc. ICASSP. IEEE, 2022.
  19. Invisible backdoor attack with sample-specific triggers. In Proc. ICCV, pages 16463–16472, 2021a.
  20. Anti-backdoor learning: Training clean models on poisoned data. In Proc. NeurIPS, pages 14900–14912, 2021b.
  21. Neural attention distillation: Erasing backdoor triggers from deep neural networks. In Proc. ICLR, 2021c.
  22. Do we really need to access the source data? source hypothesis transfer for unsupervised domain adaptation. In Proc. ICML, pages 6028–6039, 2020.
  23. A comprehensive survey on test-time adaptation under distribution shifts. arXiv preprint arXiv:2303.15361, 2023.
  24. Fine-pruning: Defending against backdooring attacks on deep neural networks. In Proc. RAID, pages 273–294, 2018.
  25. Detecting backdoors during the inference stage based on corruption robustness consistency. In Proc. CVPR, 2023.
  26. Reflection backdoor: A natural backdoor attack on deep neural networks. In Proc. ECCV, pages 182–199. Springer, 2020.
  27. Dad: Data-free adversarial defense at test time. In Proc. WACV, pages 3562–3571, 2022.
  28. Dad++: Improved data-free test time adversarial defense. arXiv preprint arXiv:2309.05132, 2023.
  29. Wanet–imperceptible warping-based backdoor attack. In Proc. ICLR, 2021.
  30. Input-aware dynamic backdoor attack. In Proc. NeurIPS, pages 3454–3464, 2020.
  31. Enhancing adversarial robustness via test-time transformation ensembling. In Proc. ICCV, pages 81–91, 2021.
  32. Certified robustness to label-flipping attacks via randomized smoothing. In Proc. ICML, 2020.
  33. Very deep convolutional networks for large-scale image recognition. arXiv preprint arXiv:1409.1556, 2014.
  34. Certified defenses for data poisoning attacks. In Proc. NeurIPS, 2017.
  35. Mask and restore: Blind backdoor defense at test time with masked autoencoder. arXiv preprint arXiv:2303.15564, 2023.
  36. Deepface: Closing the gap to human-level performance in face verification. In Proc. CVPR, pages 1701–1708, 2014.
  37. Deeptest: Automated testing of deep-neural-network-driven autonomous cars. In Proc. SEC, pages 303–314, 2018.
  38. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In Proc. SP, pages 707–723. IEEE, 2019.
  39. Tent: Fully test-time adaptation by entropy minimization. In Proc. ICLR, 2020.
  40. Backdoorbench: A comprehensive benchmark of backdoor learning. In Proc. NeurIPS, pages 10546–10559, 2022.
  41. Adversarial neuron pruning purifies backdoored deep models. In Proc. NeurIPS, pages 16913–16925, 2021.
  42. One-to-n & n-to-one: Two advanced backdoor attacks against deep learning models. IEEE Transactions on Dependable and Secure Computing, 19(3):1562–1578, 2020.
  43. Rethinking the backdoor attacks’ triggers: A frequency perspective. In Proc. ICCV, pages 16473–16481, 2021.
  44. Pre-activation distributions expose backdoor neurons. Proc. NeurIPS, pages 18667–18680, 2022.
  45. Gangsweep: Sweep out neural backdoors by gan. In Proc. ACMMM, pages 3173–3181, 2020.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (3)
  1. Jiyang Guan (7 papers)
  2. Jian Liang (162 papers)
  3. Ran He (172 papers)

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now