Confidence Matters: Inspecting Backdoors in Deep Neural Networks via Distribution Transfer
This addresses a security threat for deep learning practitioners by providing a detection method that works even when existing defenses fail due to advanced attacks, though it is incremental as it builds on new observations rather than a paradigm shift.
The paper tackles the problem of detecting backdoor attacks in deep learning models by proposing DTInspector, a defense that exploits the high prediction confidence required for effective backdoors, achieving effectiveness across five attacks, four datasets, and three advanced attack types.
Backdoor attacks have been shown to be a serious security threat against deep learning models, and detecting whether a given model has been backdoored becomes a crucial task. Existing defenses are mainly built upon the observation that the backdoor trigger is usually of small size or affects the activation of only a few neurons. However, the above observations are violated in many cases especially for advanced backdoor attacks, hindering the performance and applicability of the existing defenses. In this paper, we propose a backdoor defense DTInspector built upon a new observation. That is, an effective backdoor attack usually requires high prediction confidence on the poisoned training samples, so as to ensure that the trained model exhibits the targeted behavior with a high probability. Based on this observation, DTInspector first learns a patch that could change the predictions of most high-confidence data, and then decides the existence of backdoor by checking the ratio of prediction changes after applying the learned patch on the low-confidence data. Extensive evaluations on five backdoor attacks, four datasets, and three advanced attacking types demonstrate the effectiveness of the proposed defense.