Post-Training Detection of Backdoor Attacks for Two-Class and Multi-Attack Scenarios

TL;DR

This paper introduces a novel backdoor attack detection framework that effectively identifies attacks in two-class and multi-attack scenarios without access to training data or clean classifiers, using reverse-engineering and an expected transferability statistic.

Contribution

The paper proposes a new detection framework based on backdoor pattern reverse-engineering and a novel expected transferability statistic, applicable to two-class and multi-attack scenarios without training data.

Findings

Effective detection across six benchmark datasets

Applicable to multi-class and multi-attack scenarios

Threshold-independent detection performance

Abstract

Backdoor attacks (BAs) are an emerging threat to deep neural network classifiers. A victim classifier will predict to an attacker-desired target class whenever a test sample is embedded with the same backdoor pattern (BP) that was used to poison the classifier's training set. Detecting whether a classifier is backdoor attacked is not easy in practice, especially when the defender is, e.g., a downstream user without access to the classifier's training set. This challenge is addressed here by a reverse-engineering defense (RED), which has been shown to yield state-of-the-art performance in several domains. However, existing REDs are not applicable when there are only {\it two classes} or when {\it multiple attacks} are present. These scenarios are first studied in the current paper, under the practical constraints that the defender neither has access to the classifier's training set nor to supervision from clean reference classifiers trained for the same domain. We propose a detection framework based on BP reverse-engineering and a novel {\it expected transferability} (ET) statistic. We show that our ET statistic is effective {\it using the same detection threshold}, irrespective of the classification domain, the attack configuration, and the BP reverse-engineering algorithm that is used. The excellent performance of our method is demonstrated on six benchmark datasets. Notably, our detection framework is also applicable to multi-class scenarios with multiple attacks. Code is available at https://github.com/zhenxianglance/2ClassBADetection.