Backdoor Mitigation by Correcting the Distribution of Neural Activations
This addresses a security vulnerability for users of deep neural networks by providing an efficient post-training mitigation method, though it is incremental as it builds on known backdoor properties.
The paper tackled backdoor attacks in deep neural networks by revealing that such attacks alter the distribution of internal layer activations, and showed that correcting this alteration using reverse-engineered triggers can mitigate backdoors without changing trainable parameters, achieving generally better performance than existing tuning-based methods.
Backdoor (Trojan) attacks are an important type of adversarial exploit against deep neural networks (DNNs), wherein a test instance is (mis)classified to the attacker's target class whenever the attacker's backdoor trigger is present. In this paper, we reveal and analyze an important property of backdoor attacks: a successful attack causes an alteration in the distribution of internal layer activations for backdoor-trigger instances, compared to that for clean instances. Even more importantly, we find that instances with the backdoor trigger will be correctly classified to their original source classes if this distribution alteration is corrected. Based on our observations, we propose an efficient and effective method that achieves post-training backdoor mitigation by correcting the distribution alteration using reverse-engineered triggers. Notably, our method does not change any trainable parameters of the DNN, but achieves generally better mitigation performance than existing methods that do require intensive DNN parameter tuning. It also efficiently detects test instances with the trigger, which may help to catch adversarial entities in the act of exploiting the backdoor.