Defending Neural Backdoors via Generative Distribution Modeling

TL;DR

This paper introduces MESA, a novel method for modeling the entire distribution of potential backdoor triggers in neural networks, enabling more effective defenses against complex backdoor attacks.

Contribution

We propose MESA, a high-dimensional, sampling-free generative modeling algorithm to recover trigger distributions, improving backdoor defense capabilities.

Findings

MESA effectively models trigger distributions in high-dimensional spaces.

The proposed defense successfully removes backdoor triggers from models.

Experiments show robustness of the method on CIFAR datasets.

Abstract

Neural backdoor attack is emerging as a severe security threat to deep learning, while the capability of existing defense methods is limited, especially for complex backdoor triggers. In the work, we explore the space formed by the pixel values of all possible backdoor triggers. An original trigger used by an attacker to build the backdoored model represents only a point in the space. It then will be generalized into a distribution of valid triggers, all of which can influence the backdoored model. Thus, previous methods that model only one point of the trigger distribution is not sufficient. Getting the entire trigger distribution, e.g., via generative modeling, is a key to effective defense. However, existing generative modeling techniques for image generation are not applicable to the backdoor scenario as the trigger distribution is completely unknown. In this work, we propose max-entropy staircase approximator (MESA), an algorithm for high-dimensional sampling-free generative modeling and use it to recover the trigger distribution. We also develop a defense technique to remove the triggers from the backdoored model. Our experiments on Cifar10/100 dataset demonstrate the effectiveness of MESA in modeling the trigger distribution and the robustness of the proposed defense method.