UNICORN: A Unified Backdoor Trigger Inversion Framework
This work addresses a critical security threat in machine learning by providing a generalizable method for detecting backdoor models, which is incremental but improves upon existing constrained approaches.
The paper tackles the problem of backdoor attacks in deep neural networks by proposing a unified framework for trigger inversion, which effectively identifies and analyzes various trigger types without prior assumptions, achieving high inversion accuracy across multiple datasets.
The backdoor attack, where the adversary uses inputs stamped with triggers (e.g., a patch) to activate pre-planted malicious behaviors, is a severe threat to Deep Neural Network (DNN) models. Trigger inversion is an effective way of identifying backdoor models and understanding embedded adversarial behaviors. A challenge of trigger inversion is that there are many ways of constructing the trigger. Existing methods cannot generalize to various types of triggers by making certain assumptions or attack-specific constraints. The fundamental reason is that existing work does not consider the trigger's design space in their formulation of the inversion problem. This work formally defines and analyzes the triggers injected in different spaces and the inversion problem. Then, it proposes a unified framework to invert backdoor triggers based on the formalization of triggers and the identified inner behaviors of backdoor models from our analysis. Our prototype UNICORN is general and effective in inverting backdoor triggers in DNNs. The code can be found at https://github.com/RU-System-Software-and-Security/UNICORN.