Revisiting Data-Free Knowledge Distillation with Poisoned Teachers

TL;DR

This paper investigates security risks in data-free knowledge distillation, revealing vulnerabilities to backdoor transfer from untrusted teachers, and proposes a defense method called ABD to mitigate this issue.

Contribution

It uncovers security vulnerabilities in data-free KD related to untrusted teachers and introduces ABD, a novel plug-in defense to prevent backdoor transfer.

Findings

ABD reduces transferred backdoor knowledge

Maintains downstream task performance

Highlights security risks in data-free KD

Abstract

Data-free knowledge distillation (KD) helps transfer knowledge from a pre-trained model (known as the teacher model) to a smaller model (known as the student model) without access to the original training data used for training the teacher model. However, the security of the synthetic or out-of-distribution (OOD) data required in data-free KD is largely unknown and under-explored. In this work, we make the first effort to uncover the security risk of data-free KD w.r.t. untrusted pre-trained models. We then propose Anti-Backdoor Data-Free KD (ABD), the first plug-in defensive method for data-free KD methods to mitigate the chance of potential backdoors being transferred. We empirically evaluate the effectiveness of our proposed ABD in diminishing transferred backdoor knowledge while maintaining compatible downstream performances as the vanilla KD. We envision this work as a milestone for alarming and mitigating the potential backdoors in data-free KD. Codes are released at https://github.com/illidanlab/ABD.