Few-shot Backdoor Defense Using Shapley Estimation
This addresses security threats in AI systems like autonomous driving and medical diagnosis by providing a data-efficient defense against backdoor attacks, though it is incremental as it builds on existing Shapley value methods.
The paper tackles the problem of backdoor attacks in deep neural networks by developing Shapley Pruning (ShapPruning), which uses Shapley value estimation to identify and prune infected neurons (under 1% of all neurons) with minimal data (1 image per class or no data), achieving effective defense while preserving model accuracy and structure.
Deep neural networks have achieved impressive performance in a variety of tasks over the last decade, such as autonomous driving, face recognition, and medical diagnosis. However, prior works show that deep neural networks are easily manipulated into specific, attacker-decided behaviors in the inference stage by backdoor attacks which inject malicious small hidden triggers into model training, raising serious security threats. To determine the triggered neurons and protect against backdoor attacks, we exploit Shapley value and develop a new approach called Shapley Pruning (ShapPruning) that successfully mitigates backdoor attacks from models in a data-insufficient situation (1 image per class or even free of data). Considering the interaction between neurons, ShapPruning identifies the few infected neurons (under 1% of all neurons) and manages to protect the model's structure and accuracy after pruning as many infected neurons as possible. To accelerate ShapPruning, we further propose discarding threshold and $ε$-greedy strategy to accelerate Shapley estimation, making it possible to repair poisoned models with only several minutes. Experiments demonstrate the effectiveness and robustness of our method against various attacks and tasks compared to existing methods.