NNoculation: Catching BadNets in the Wild

TL;DR

NNoculation is a two-stage defense mechanism for neural networks that repairs backdoored models pre-deployment and detects, quarantines, and retrains on backdoored inputs post-deployment, outperforming existing defenses.

Contribution

The paper introduces NNoculation, a novel two-stage approach combining model repair and input detection to defend against diverse backdoor attacks in neural networks.

Findings

Outperforms state-of-the-art defenses on various backdoor attacks

Effective even against adaptive attacks that bypass other defenses

Minimal assumptions required for successful defense

Abstract

This paper proposes a novel two-stage defense (NNoculation) against backdoored neural networks (BadNets) that, repairs a BadNet both pre-deployment and online in response to backdoored test inputs encountered in the field. In the pre-deployment stage, NNoculation retrains the BadNet with random perturbations of clean validation inputs to partially reduce the adversarial impact of a backdoor. Post-deployment, NNoculation detects and quarantines backdoored test inputs by recording disagreements between the original and pre-deployment patched networks. A CycleGAN is then trained to learn transformations between clean validation and quarantined inputs; i.e., it learns to add triggers to clean validation images. Backdoored validation images along with their correct labels are used to further retrain the pre-deployment patched network, yielding our final defense. Empirical evaluation on a comprehensive suite of backdoor attacks show that NNoculation outperforms all state-of-the-art defenses that make restrictive assumptions and only work on specific backdoor attacks, or fail on adaptive attacks. In contrast, NNoculation makes minimal assumptions and provides an effective defense, even under settings where existing defenses are ineffective due to attackers circumventing their restrictive assumptions.