Backdoor Attack and Defense for Deep Regression

TL;DR

This paper explores backdoor attacks on deep regression models, demonstrating how localized data poisoning can succeed and proposing gradient-based detection methods, while also improving training efficiency with active learning and oracles.

Contribution

It introduces a localized backdoor attack specific to deep regression and proposes a gradient-based defense, along with a novel active learning approach using oracles for training.

Findings

Backdoor attacks can be localized using training data poisoning.

Gradient-based methods effectively detect suspicious local error maximizers.

Active learning with oracles improves deep regression training efficiency.

Abstract

We demonstrate a backdoor attack on a deep neural network used for regression. The backdoor attack is localized based on training-set data poisoning wherein the mislabeled samples are surrounded by correctly labeled ones. We demonstrate how such localization is necessary for attack success. We also study the performance of a backdoor defense using gradient-based discovery of local error maximizers. Local error maximizers which are associated with significant (interpolation) error, and are proximal to many training samples, are suspicious. This method is also used to accurately train for deep regression in the first place by active (deep) learning leveraging an "oracle" capable of providing real-valued supervision (a regression target) for samples. Such oracles, including traditional numerical solvers of PDEs or SDEs using finite difference or Monte Carlo approximations, are far more computationally costly compared to deep regression.