Fine-Tuning Is All You Need to Mitigate Backdoor Attacks
This work addresses the threat of backdoor attacks for machine learning model owners, offering a simpler and more efficient defense solution, though it is incremental as it builds on existing fine-tuning techniques.
The paper tackles the problem of backdoor attacks in machine learning models by demonstrating that fine-tuning can effectively remove backdoors while maintaining high model utility, with experiments showing strong defense performance and limited backdoor sequela compared to other methods.
Backdoor attacks represent one of the major threats to machine learning models. Various efforts have been made to mitigate backdoors. However, existing defenses have become increasingly complex and often require high computational resources or may also jeopardize models' utility. In this work, we show that fine-tuning, one of the most common and easy-to-adopt machine learning training operations, can effectively remove backdoors from machine learning models while maintaining high model utility. Extensive experiments over three machine learning paradigms show that fine-tuning and our newly proposed super-fine-tuning achieve strong defense performance. Furthermore, we coin a new term, namely backdoor sequela, to measure the changes in model vulnerabilities to other attacks before and after the backdoor has been removed. Empirical evaluation shows that, compared to other defense methods, super-fine-tuning leaves limited backdoor sequela. We hope our results can help machine learning model owners better protect their models from backdoor threats. Also, it calls for the design of more advanced attacks in order to comprehensively assess machine learning models' backdoor vulnerabilities.