Rethinking Backdoor Attacks
This work addresses the problem of detecting backdoor attacks in machine learning models, offering a novel perspective that challenges existing defenses, but it is incremental as it builds on prior assumptions.
The paper argues that backdoor attacks are indistinguishable from natural data features without structural assumptions, and proposes a detection algorithm based on viewing backdoors as the strongest feature, with theoretical guarantees and practical effectiveness.
In a backdoor attack, an adversary inserts maliciously constructed backdoor examples into a training set to make the resulting model vulnerable to manipulation. Defending against such attacks typically involves viewing these inserted examples as outliers in the training set and using techniques from robust statistics to detect and remove them. In this work, we present a different approach to the backdoor attack problem. Specifically, we show that without structural information about the training data distribution, backdoor attacks are indistinguishable from naturally-occurring features in the data--and thus impossible to "detect" in a general sense. Then, guided by this observation, we revisit existing defenses against backdoor attacks and characterize the (often latent) assumptions they make and on which they depend. Finally, we explore an alternative perspective on backdoor attacks: one that assumes these attacks correspond to the strongest feature in the training data. Under this assumption (which we make formal) we develop a new primitive for detecting backdoor attacks. Our primitive naturally gives rise to a detection algorithm that comes with theoretical guarantees and is effective in practice.