Model Agnostic Defence Against Backdoor Attacks in Machine Learning

Udeshi, Sakshi; Peng, Shanshan; Woo, Gerald; Loh, Lionell; Rawshan, Louth; Chattopadhyay, Sudipta

doi:10.1109/tr.2022.3159784

Cited by 34 publications

(18 citation statements)

References 20 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…Due to the emerging threat of backdoor attacks, several kinds of defenses have been proposed. These roughly belong to the following categories : (1) Input preprocessing [25,26,27,28]: This kind of defense introduces a preprocessing module with the intent of damaging the trigger pattern before passing it into the DNN. (2) Detection based defense [29,30,31,32,33]: The aim here is to detect the presence of possible malicious samples or backdoored models.…”

Section: Backdoor Defensementioning

confidence: 99%

Towards Understanding How Self-training Tolerates Data Backdoor Poisoning

Pal¹,

Ren²,

Yao³

et al. 2023

Preprint

View full text Add to dashboard Cite

Recent studies on backdoor attacks in model training have shown that polluting a small portion of training data is sufficient to produce incorrect manipulated predictions on poisoned test-time data while maintaining high clean accuracy in downstream tasks. The stealthiness of backdoor attacks has imposed tremendous defense challenges in today's machine learning paradigm. In this paper, we explore the potential of self-training via additional unlabeled data for mitigating backdoor attacks. We begin by making a pilot study to show that vanilla self-training is not effective in backdoor mitigation. Spurred by that, we propose to defend the backdoor attacks by leveraging strong but proper data augmentations in the self-training pseudo-labeling stage. We find that the new self-training regime help in defending against backdoor attacks to a great extent. Its effectiveness is demonstrated through experiments for different backdoor triggers on CIFAR-10 and a combination of CIFAR-10 with an additional unlabeled 500K TinyImages dataset. Finally, we explore the direction of combining self-supervised representation learning with self-training for further improvement in backdoor defense.

show abstract

Section: Backdoor Defensementioning

confidence: 99%

Towards Understanding How Self-training Tolerates Data Backdoor Poisoning

Pal¹,

Ren²,

Yao³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…In the first stage, February uses GradCAM [61] to identify regions of influence, generating heatmaps to illustrate important regions in the input that contribute significantly to the learned features. In the second stage, a GAN-based inpainting method is employed to reconstruct the masked regions.Based on this idea, Udeshi et al [62] also designed a square trigger interceptor using the dominant color in the image to locate and remove backdoor triggers.…”

Section: A Dataset-based Defense Strategiesmentioning

confidence: 99%

Backdoor Attacks to Deep Learning Models and Countermeasures: A Survey

Zhang

Wei-ping

et al. 2023

IEEE Open J. Comput. Soc.

View full text Add to dashboard Cite

Backdoor attacks have severely threatened deep neural network (DNN) models in the past several years. In backdoor attacks, the attackers try to plant hidden backdoors into DNN models, either in the training or inference stage, to mislead the output of the model when the input contains some specified triggers without affecting the prediction of normal inputs not containing the triggers. As a rapidly developing topic, numerous works on designing various backdoor attacks and developing techniques to defend against such attacks have been proposed in recent years. However, a comprehensive and holistic overview of backdoor attacks and countermeasures is still missing. In this paper, we provide a systematic overview of the design of backdoor attacks and the defense strategies to defend against backdoor attacks, covering the latest published works. We review representative backdoor attacks and defense strategies in both the computer vision domain and other domains, discuss their pros and cons, and make comparisons among them. We outline key challenges to be addressed and potential research directions in the future.

show abstract

“…The goal is to obtain true label of every test image on the fly, with only access to the hard-label predictions of that image. Test-time image transformations [14,36,35] and heuristic trigger search in image space [43] do not work well.…”

Section: Related Workmentioning

confidence: 99%

“…Simply applying testtime image transformations [14,36,35] without model retraining compromises the model's accuracy on clean inputs [37]. Heuristic trigger search in image space [43] does not scale to complex triggers or high image resolution.…”

Section: Introductionmentioning

confidence: 99%

Mask and Restore: Blind Backdoor Defense at Test Time with Masked Autoencoder

Sun¹,

Pang²,

Chen³

et al. 2023

Preprint

View full text Add to dashboard Cite

Deep neural networks are vulnerable to backdoor attacks, where an adversary maliciously manipulates the model behavior through overlaying images with special triggers. Existing backdoor defense methods often require accessing a few validation data and model parameters, which are impractical in many real-world applications, e.g., when the model is provided as a cloud service. In this paper, we address the practical task of blind backdoor defense at test time, in particular for black-box models. The true label of every test image needs to be recovered on the fly from the hard label predictions of a suspicious model. The heuristic trigger search in image space, however, is not scalable to complex triggers or high image resolution. We circumvent such barrier by leveraging generic image generation models, and propose a framework of Blind Defense with Masked AutoEncoder (BDMAE). It uses the image structural similarity and label consistency between the test image and MAE restorations to detect possible triggers. The detection result is refined by considering the topology of triggers. We obtain a purified test image from restorations for making prediction. Our approach is blind to the model architectures, trigger patterns or image benignity. Extensive experiments on multiple datasets with different backdoor attacks validate its effectiveness and generalizability. Code is available at https://github.com/tsun/BDMAE.

show abstract

Model Agnostic Defence Against Backdoor Attacks in Machine Learning

Cited by 34 publications

References 20 publications

Towards Understanding How Self-training Tolerates Data Backdoor Poisoning

Towards Understanding How Self-training Tolerates Data Backdoor Poisoning

Backdoor Attacks to Deep Learning Models and Countermeasures: A Survey

Mask and Restore: Blind Backdoor Defense at Test Time with Masked Autoencoder

Contact Info

Product

Resources

About