PECAN: A Deterministic Certified Defense Against Backdoor Attacks

TL;DR

PECAN is an efficient, certified defense method against backdoor attacks in neural networks, using test-time evasion certification on data partitions to significantly reduce attack success rates.

Contribution

PECAN introduces a novel, certified defense approach leveraging existing certification techniques on data partitions, outperforming prior methods in strength and efficiency.

Findings

Outperforms state-of-the-art certified defenses in strength and efficiency.

Reduces attack success rate by an order of magnitude on real backdoor attacks.

Effective on image classification and malware detection datasets.

Abstract

Neural networks are vulnerable to backdoor poisoning attacks, where the attackers maliciously poison the training set and insert triggers into the test input to change the prediction of the victim model. Existing defenses for backdoor attacks either provide no formal guarantees or come with expensive-to-compute and ineffective probabilistic guarantees. We present PECAN, an efficient and certified approach for defending against backdoor attacks. The key insight powering PECAN is to apply off-the-shelf test-time evasion certification techniques on a set of neural networks trained on disjoint partitions of the data. We evaluate PECAN on image classification and malware detection datasets. Our results demonstrate that PECAN can (1) significantly outperform the state-of-the-art certified backdoor defense, both in defense strength and efficiency, and (2) on real back-door attacks, PECAN can reduce attack success rate by order of magnitude when compared to a range of baselines from the literature.