Backdoor Cleansing with Unlabeled Data

TL;DR

This paper introduces a label-free backdoor defense method for neural networks that uses layer-wise re-initialization and knowledge distillation, effectively mitigating backdoor threats without requiring clean labeled data.

Contribution

The proposed method uniquely defends against backdoor attacks without relying on labeled clean data, making it practical for real-world scenarios.

Findings

Effective backdoor removal comparable to label-dependent methods

Maintains normal model performance after cleansing

Works well even on out-of-distribution data

Abstract

Due to the increasing computational demand of Deep Neural Networks (DNNs), companies and organizations have begun to outsource the training process. However, the externally trained DNNs can potentially be backdoor attacked. It is crucial to defend against such attacks, i.e., to postprocess a suspicious model so that its backdoor behavior is mitigated while its normal prediction power on clean inputs remain uncompromised. To remove the abnormal backdoor behavior, existing methods mostly rely on additional labeled clean samples. However, such requirement may be unrealistic as the training data are often unavailable to end users. In this paper, we investigate the possibility of circumventing such barrier. We propose a novel defense method that does not require training labels. Through a carefully designed layer-wise weight re-initialization and knowledge distillation, our method can effectively cleanse backdoor behaviors of a suspicious network with negligible compromise in its normal behavior. In experiments, we show that our method, trained without labels, is on-par with state-of-the-art defense methods trained using labels. We also observe promising defense results even on out-of-distribution data. This makes our method very practical. Code is available at: https://github.com/luluppang/BCU.