Test-Time Detection of Backdoor Triggers for Poisoned Deep Neural Networks

TL;DR

This paper introduces a novel test-time defense mechanism for detecting and identifying backdoor triggers in deep neural networks during inference, addressing a critical gap in existing defenses.

Contribution

It proposes an 'in-flight' detection method that identifies backdoor triggers and infers their source class during testing, unlike prior methods that only detect attacks post-training.

Findings

Effective detection of backdoor triggers at test-time

Ability to infer source class of detected triggers

Demonstrated robustness against various strong backdoor attacks

Abstract

Backdoor (Trojan) attacks are emerging threats against deep neural networks (DNN). A DNN being attacked will predict to an attacker-desired target class whenever a test sample from any source class is embedded with a backdoor pattern; while correctly classifying clean (attack-free) test samples. Existing backdoor defenses have shown success in detecting whether a DNN is attacked and in reverse-engineering the backdoor pattern in a "post-training" regime: the defender has access to the DNN to be inspected and a small, clean dataset collected independently, but has no access to the (possibly poisoned) training set of the DNN. However, these defenses neither catch culprits in the act of triggering the backdoor mapping, nor mitigate the backdoor attack at test-time. In this paper, we propose an "in-flight" defense against backdoor attacks on image classification that 1) detects use of a backdoor trigger at test-time; and 2) infers the class of origin (source class) for a detected trigger example. The effectiveness of our defense is demonstrated experimentally against different strong backdoor attacks.