# Februus: Input Purification Defense Against Trojan Attacks on Deep   Neural Network Systems

**Authors:** Bao Gia Doan, Ehsan Abbasnejad, Damith C. Ranasinghe

arXiv: 1908.03369 · 2020-12-17

## TL;DR

Februus is a run-time input purification method that effectively neutralizes Trojan backdoor attacks on deep neural networks by removing trigger artifacts without impacting benign input classification performance.

## Contribution

It introduces the first run-time input sanitization technique that neutralizes Trojan triggers without retraining or anomaly detection, demonstrating high efficacy across multiple datasets and attack types.

## Key findings

- Reduced attack success rate from 100% to near 0%
- Effective against complex adaptive Trojan attacks
- No performance loss on benign inputs

## Abstract

We propose Februus; a new idea to neutralize highly potent and insidious Trojan attacks on Deep Neural Network (DNN) systems at run-time. In Trojan attacks, an adversary activates a backdoor crafted in a deep neural network model using a secret trigger, a Trojan, applied to any input to alter the model's decision to a target prediction---a target determined by and only known to the attacker. Februus sanitizes the incoming input by surgically removing the potential trigger artifacts and restoring the input for the classification task. Februus enables effective Trojan mitigation by sanitizing inputs with no loss of performance for sanitized inputs, Trojaned or benign. Our extensive evaluations on multiple infected models based on four popular datasets across three contrasting vision applications and trigger types demonstrate the high efficacy of Februus. We dramatically reduced attack success rates from 100% to near 0% for all cases (achieving 0% on multiple cases) and evaluated the generalizability of Februus to defend against complex adaptive attacks; notably, we realized the first defense against the advanced partial Trojan attack. To the best of our knowledge, Februus is the first backdoor defense method for operation at run-time capable of sanitizing Trojaned inputs without requiring anomaly detection methods, model retraining or costly labeled data.

## Full text

_Full body text omitted from this summary view._ Fetch the complete paper as Markdown: https://tomesphere.com/paper/1908.03369/full.md

## Figures

27 figures with captions in the complete paper: https://tomesphere.com/paper/1908.03369/full.md

## References

52 references — full list in the complete paper: https://tomesphere.com/paper/1908.03369/full.md

---
Source: https://tomesphere.com/paper/1908.03369