Backdoor Mitigation by Correcting the Distribution of Neural Activations

TL;DR

This paper identifies that backdoor attacks alter neural activation distributions and proposes a post-training mitigation method that corrects these distributions without retraining the model, improving detection and defense.

Contribution

The paper introduces a novel backdoor mitigation technique based on correcting activation distribution shifts, avoiding retraining and enhancing detection capabilities.

Findings

Effective backdoor mitigation without retraining.

Improved detection of trigger instances.

Outperforms existing methods in mitigation performance.

Abstract

Backdoor (Trojan) attacks are an important type of adversarial exploit against deep neural networks (DNNs), wherein a test instance is (mis)classified to the attacker's target class whenever the attacker's backdoor trigger is present. In this paper, we reveal and analyze an important property of backdoor attacks: a successful attack causes an alteration in the distribution of internal layer activations for backdoor-trigger instances, compared to that for clean instances. Even more importantly, we find that instances with the backdoor trigger will be correctly classified to their original source classes if this distribution alteration is corrected. Based on our observations, we propose an efficient and effective method that achieves post-training backdoor mitigation by correcting the distribution alteration using reverse-engineered triggers. Notably, our method does not change any trainable parameters of the DNN, but achieves generally better mitigation performance than existing methods that do require intensive DNN parameter tuning. It also efficiently detects test instances with the trigger, which may help to catch adversarial entities in the act of exploiting the backdoor.