Papers
Topics
Authors
Recent
Search
2000 character limit reached

CSC: Turning the Adversary's Poison against Itself

Published 23 Apr 2026 in cs.CR and cs.AI | (2604.21416v1)

Abstract: Poisoning-based backdoor attacks pose significant threats to deep neural networks by embedding triggers in training data, causing models to misclassify triggered inputs as adversary-specified labels while maintaining performance on clean data. Existing poison restraint-based defenses often suffer from inadequate detection against specific attack variants and compromise model utility through unlearning methods that lead to accuracy degradation. This paper conducts a comprehensive analysis of backdoor attack dynamics during model training, revealing that poisoned samples form isolated clusters in latent space early on, with triggers acting as dominant features distinct from benign ones. Leveraging these insights, we propose Cluster Segregation Concealment (CSC), a novel poison suppression defense. CSC first trains a deep neural network via standard supervised learning while segregating poisoned samples through feature extraction from early epochs, DBSCAN clustering, and identification of anomalous clusters based on class diversity and density metrics. In the concealment stage, identified poisoned samples are relabeled to a virtual class, and the model's classifier is fine-tuned using cross-entropy loss to replace the backdoor association with a benign virtual linkage, preserving overall accuracy. CSC was evaluated on four benchmark datasets against twelve poisoning-based attacks, CSC outperforms nine state-of-the-art defenses by reducing average attack success rates to near zero with minimal clean accuracy loss. Contributions include robust backdoor patterns identification, an effective concealment mechanism, and superior empirical validation, advancing trustworthy artificial intelligence.

Summary

  • The paper proposes CSC which uses DBSCAN-based latent clustering and virtual relabeling to detect and mitigate poisoning-based backdoor attacks.
  • It demonstrates high precision and recall (>98% and >94%) across CIFAR-10, CIFAR-100, GTSRB, and Tiny-ImageNet with minimal accuracy loss and significant ASR reduction.
  • The approach integrates efficiently into existing DNN pipelines, remains robust against varied poisoning rates, and scales with modest computational overhead.

Cluster Segregation Concealment: Advancing Poisoning-based Backdoor Defense

Motivation and Problem Analysis

Poisoning-based backdoor attacks threaten the integrity of deep neural networks (DNNs) by covertly embedding triggers in training data, enabling adversaries to force misclassification of triggered inputs while preserving benign accuracy. Previous poison restraint-based defenses—such as machine unlearning, decision-space modification, and decoupled optimization—are limited by inadequate detection robustness against advanced attack variants and frequently degrade model utility. These approaches often misidentify benign samples as contaminated or struggle with attack-specific stealth tactics, notably clean-label or sample-specific feature-space attacks.

Recent empirical analysis reveals two salient properties underpinning poisoning-based attacks: 1) poisoned samples coalesce into isolated clusters in DNN latent space during early training, owing to the dominance of trigger features; 2) the model establishes a robust but spurious association between these features and adversary-specified labels, diverging significantly from benign sample-label mappings. These observations motivate the design of a defense mechanism that exploits early-stage clustering dynamics and redefines poisoned sample-label association without sacrificing clean accuracy.

Methodological Framework

The proposed Cluster Segregation Concealment (CSC) defense is structured around two major stages: Segregation and Concealment.

Segregation Stage: CSC initiates standard supervised training and leverages representations from the second-to-last model layer across the first EPdetectEP_{detect} epochs. CSC applies DBSCAN, a density-based clustering algorithm, to partition the latent space. Suspicious clusters are detected using class diversity and density metrics—clusters not corresponding to the largest majority are candidates for poison. This epoch-aggregated approach mitigates stochastic training instabilities, increasing precision and recall for poisoned sample detection. Figure 1

Figure 1: Workflow of CSC, detailing trigger embedding, poisoned sample clustering, and classifier retraining via concealment strategies.

Figure 2

Figure 2: Visualization of latent space organization at an early training stage, showing poisoned samples forming distinct segregated clusters.

Concealment Stage: In this phase, identified poisoned samples are relabeled to a virtual confusion class (n+1)(n+1), thus decoupling backdoor feature associations from adversarial target labels. The classification head is fine-tuned using cross-entropy loss on the augmented benign and relabeled poisoned datasets, with the feature extractor frozen to retain past feature segregation. This process eliminates backdoor vulnerabilities with negligible impact on the model's capacity to classify clean inputs.

Empirical Evaluation and Results

CSC was evaluated against twelve poisoning-based attack methods—including dirty-label, clean-label, and feature-space attacks—across four datasets: CIFAR-10, CIFAR-100, GTSRB, and Tiny-ImageNet. Comparisons were made with nine state-of-the-art defenses: ABL, DBD, NONE, D-BR, D-ST, CBD, ASD, DP-SGD, and NAD.

Strong numerical results demonstrate the efficacy of CSC:

  • On CIFAR-10, ASR is reduced from baseline values (>96%>96\%) to 0.02%0.02\%, with mean accuracy loss of just 0.29%0.29\%.
  • On CIFAR-100 and GTSRB, CSC yields ASRs of 0.01%0.01\% and 0.19%0.19\%, outperforming all baselines—most of which leave residual ASRs above 4\% or impose severe accuracy penalties (up to 12%12\% for NAD).
  • For feature-space attacks, such as WaNet and IAB, CSC sustains ASRs below 0.5%0.5\% on GTSRB, a setting where other methods fail.
  • Precision and recall for poisoned sample segregation frequently exceed 98%98\% and (n+1)(n+1)0, substantially surpassing alternatives like Spectral Signatures and Activation Clustering.

These results validate both the detection robustness and utility preservation of the approach. The concealment stage, when benchmarked against classic unlearning and mixed cross-entropy methods, achieves equivalent or superior backdoor erasure while improving ACC by (n+1)(n+1)1 and reducing ASR by (n+1)(n+1)2 on average.

Computational and Robustness Analysis

CSC's computational overhead is marginal relative to its defensive benefit. Training time on CIFAR-10 increases moderately (from 29.31 to 35.21 minutes), well below the costs incurred by DP-SGD, DBD, or NONE. Figure 3

Figure 3: Comparative analysis of training time for BadNets attack on CIFAR-10 across defense methodologies.

The defense remains robust to poisoning rates (tested from 1\% to 10\%), consistently achieving low ASR and minimal accuracy loss. CSC is insensitive to DBSCAN’s MinPts hyperparameter and achieves optimal performance at (n+1)(n+1)3. Figure 4

Figure 4

Figure 4: Impact of DBSCAN's (n+1)(n+1)4 parameter on poisoned sample recall and precision.

Theoretical and Practical Implications

CSC advances the theoretical understanding of backdoor dynamics in DNN training by elucidating the clustering mechanism in latent space and proposing label reassignment as a means of neutralizing spurious associations. Practically, the framework delivers scalable, attack-independent defense capabilities without the collateral accuracy loss characteristic of machine unlearning and other utility-sacrificing strategies.

Key implications include:

  • Enabling secure model deployment in untrusted, adversarial training environments without sacrificing baseline performance.
  • Providing a template for plug-and-play integration with mainstream architectures and datasets.
  • Offering adaptability to future evolving poisoning-based attacks, including those leveraging natural triggers or input-adaptive perturbations.

Future Directions

Potential extensions include automating clustering hyperparameter selection, enhancing detection in datasets with ambiguous ground-truth cluster structure, and expanding the method to multi-modal and sequential data paradigms. The theoretical basis established by CSC may foster novel dynamic and adversarial training protocols that proactively counteract poisoning during data collection and model refinement.

Conclusion

CSC represents a robust, empirically validated framework for poisoning-based backdoor defense in DNNs, uniting early-stage latent clustering with label concealment to neutralize adversarial triggers while preserving model utility. The approach substantially outperforms prior defenses across attack methods and datasets, enabling trustworthy model deployment in adversarial settings (2604.21416).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 1 tweet with 0 likes about this paper.