Universal Detection of Backdoor Attacks via Density-based Clustering and Centroids Analysis

TL;DR

This paper introduces a universal, attack-agnostic method for detecting backdoor attacks in neural networks by clustering training data and analyzing cluster centroids, effectively identifying poisoned data regardless of attack type.

Contribution

The paper presents a novel density-based clustering and centroid analysis approach that detects poisoned clusters in training data, outperforming existing defenses across various attack scenarios.

Findings

Effective detection across multiple attack types

Outperforms state-of-the-art methods

Works with different network architectures

Abstract

We propose a Universal Defence against backdoor attacks based on Clustering and Centroids Analysis (CCA-UD). The goal of the defence is to reveal whether a Deep Neural Network model is subject to a backdoor attack by inspecting the training dataset. CCA-UD first clusters the samples of the training set by means of density-based clustering. Then, it applies a novel strategy to detect the presence of poisoned clusters. The proposed strategy is based on a general misclassification behaviour observed when the features of a representative example of the analysed cluster are added to benign samples. The capability of inducing a misclassification error is a general characteristic of poisoned samples, hence the proposed defence is attack-agnostic. This marks a significant difference with respect to existing defences, that, either can defend against only some types of backdoor attacks, or are effective only when some conditions on the poisoning ratio or the kind of triggering signal used by the attacker are satisfied. Experiments carried out on several classification tasks and network architectures, considering different types of backdoor attacks (with either clean or corrupted labels), and triggering signals, including both global and local triggering signals, as well as sample-specific and source-specific triggers, reveal that the proposed method is very effective to defend against backdoor attacks in all the cases, always outperforming the state of the art techniques.