On Certifying Robustness against Backdoor Attacks via Randomized Smoothing

TL;DR

This paper explores the potential of using randomized smoothing, a technique originally for adversarial robustness, to certify defenses against backdoor attacks in deep neural networks, revealing both feasibility and current limitations.

Contribution

It is the first to analyze and demonstrate the feasibility of certifying robustness against backdoor attacks using randomized smoothing techniques.

Findings

Randomized smoothing can theoretically certify robustness against backdoor attacks.

Existing methods have limited effectiveness in defending against backdoor attacks.

There is a need for new theories and methods to improve certification effectiveness.

Abstract

Backdoor attack is a severe security threat to deep neural networks (DNNs). We envision that, like adversarial examples, there will be a cat-and-mouse game for backdoor attacks, i.e., new empirical defenses are developed to defend against backdoor attacks but they are soon broken by strong adaptive backdoor attacks. To prevent such cat-and-mouse game, we take the first step towards certified defenses against backdoor attacks. Specifically, in this work, we study the feasibility and effectiveness of certifying robustness against backdoor attacks using a recent technique called randomized smoothing. Randomized smoothing was originally developed to certify robustness against adversarial examples. We generalize randomized smoothing to defend against backdoor attacks. Our results show the theoretical feasibility of using randomized smoothing to certify robustness against backdoor attacks. However, we also find that existing randomized smoothing methods have limited effectiveness at defending against backdoor attacks, which highlight the needs of new theory and methods to certify robustness against backdoor attacks.