Universal Backdoor Attacks Detection via Adaptive Adversarial Probe

TL;DR

This paper introduces a universal backdoor attack detection method called Adaptive Adversarial Probe (A2P) that adaptively probes images to identify diverse backdoor triggers, outperforming existing methods across multiple datasets.

Contribution

The paper proposes a novel global-to-local probing framework with adaptive regions and attack budgets to detect diverse backdoor triggers in neural networks.

Findings

A2P outperforms state-of-the-art methods by large margins (+12%) on multiple datasets.

The adaptive probing strategy effectively detects diverse backdoor triggers.

Extensive experiments validate the robustness and effectiveness of A2P.

Abstract

Extensive evidence has demonstrated that deep neural networks (DNNs) are vulnerable to backdoor attacks, which motivates the development of backdoor attacks detection. Most detection methods are designed to verify whether a model is infected with presumed types of backdoor attacks, yet the adversary is likely to generate diverse backdoor attacks in practice that are unforeseen to defenders, which challenge current detection strategies. In this paper, we focus on this more challenging scenario and propose a universal backdoor attacks detection method named Adaptive Adversarial Probe (A2P). Specifically, we posit that the challenge of universal backdoor attacks detection lies in the fact that different backdoor attacks often exhibit diverse characteristics in trigger patterns (i.e., sizes and transparencies). Therefore, our A2P adopts a global-to-local probing framework, which adversarially probes images with adaptive regions/budgets to fit various backdoor triggers of different sizes/transparencies. Regarding the probing region, we propose the attention-guided region generation strategy that generates region proposals with different sizes/locations based on the attention of the target model, since trigger regions often manifest higher model activation. Considering the attack budget, we introduce the box-to-sparsity scheduling that iteratively increases the perturbation budget from box to sparse constraint, so that we could better activate different latent backdoors with different transparencies. Extensive experiments on multiple datasets (CIFAR-10, GTSRB, Tiny-ImageNet) demonstrate that our method outperforms state-of-the-art baselines by large margins (+12%).