Trojan Signatures in DNN Weights

TL;DR

This paper introduces a lightweight, data-free method for detecting trojan attacks in deep neural networks by analyzing the weight distribution of the final linear layer, effectively distinguishing trojaned models from benign ones.

Contribution

The authors propose the first ultra light-weight, data-free trojan detection technique focusing on final layer weights, effective across various architectures and attack types.

Findings

Detects trojans without training/test data or heavy computation

Distinguishes trojaned models by analyzing weight distributions

Effective against multiple attack methods and architectures

Abstract

Deep neural networks have been shown to be vulnerable to backdoor, or trojan, attacks where an adversary has embedded a trigger in the network at training time such that the model correctly classifies all standard inputs, but generates a targeted, incorrect classification on any input which contains the trigger. In this paper, we present the first ultra light-weight and highly effective trojan detection method that does not require access to the training/test data, does not involve any expensive computations, and makes no assumptions on the nature of the trojan trigger. Our approach focuses on analysis of the weights of the final, linear layer of the network. We empirically demonstrate several characteristics of these weights that occur frequently in trojaned networks, but not in benign networks. In particular, we show that the distribution of the weights associated with the trojan target class is clearly distinguishable from the weights associated with other classes. Using this, we demonstrate the effectiveness of our proposed detection method against state-of-the-art attacks across a variety of architectures, datasets, and trigger types.