Backdoor Defense with Machine Unlearning

TL;DR

This paper introduces BAERASE, a machine unlearning-based method for effectively erasing backdoors in neural networks by recovering trigger patterns and reversing the attack, outperforming existing defenses.

Contribution

BAERASE is a novel backdoor defense method that does not require full training data and achieves higher erasure effectiveness than prior techniques.

Findings

Reduces attack success rates by 99% on benchmarks

Outperforms fine-tuning and pruning methods

Effective against multiple backdoor attack types

Abstract

Backdoor injection attack is an emerging threat to the security of neural networks, however, there still exist limited effective defense methods against the attack. In this paper, we propose BAERASE, a novel method that can erase the backdoor injected into the victim model through machine unlearning. Specifically, BAERASE mainly implements backdoor defense in two key steps. First, trigger pattern recovery is conducted to extract the trigger patterns infected by the victim model. Here, the trigger pattern recovery problem is equivalent to the one of extracting an unknown noise distribution from the victim model, which can be easily resolved by the entropy maximization based generative model. Subsequently, BAERASE leverages these recovered trigger patterns to reverse the backdoor injection procedure and induce the victim model to erase the polluted memories through a newly designed gradient ascent based machine unlearning method. Compared with the previous machine unlearning solutions, the proposed approach gets rid of the reliance on the full access to training data for retraining and shows higher effectiveness on backdoor erasing than existing fine-tuning or pruning methods. Moreover, experiments show that BAERASE can averagely lower the attack success rates of three kinds of state-of-the-art backdoor attacks by 99\% on four benchmark datasets.