Towards Stable Backdoor Purification through Feature Shift Tuning

TL;DR

This paper proposes Feature Shift Tuning (FST), a simple and effective method for backdoor defense in neural networks that disentangles backdoor and clean features, ensuring stable purification across diverse attack scenarios with minimal tuning cost.

Contribution

The paper introduces FST, a novel feature disentanglement approach for backdoor purification that outperforms existing methods in stability and efficiency, especially at low poisoning rates.

Findings

FST achieves consistent backdoor removal across various attack settings.

FST requires only 10 epochs, reducing tuning costs significantly.

Disentangling features improves the effectiveness of backdoor defenses.

Abstract

It has been widely observed that deep neural networks (DNN) are vulnerable to backdoor attacks where attackers could manipulate the model behavior maliciously by tampering with a small set of training samples. Although a line of defense methods is proposed to mitigate this threat, they either require complicated modifications to the training process or heavily rely on the specific model architecture, which makes them hard to deploy into real-world applications. Therefore, in this paper, we instead start with fine-tuning, one of the most common and easy-to-deploy backdoor defenses, through comprehensive evaluations against diverse attack scenarios. Observations made through initial experiments show that in contrast to the promising defensive results on high poisoning rates, vanilla tuning methods completely fail at low poisoning rate scenarios. Our analysis shows that with the low poisoning rate, the entanglement between backdoor and clean features undermines the effect of tuning-based defenses. Therefore, it is necessary to disentangle the backdoor and clean features in order to improve backdoor purification. To address this, we introduce Feature Shift Tuning (FST), a method for tuning-based backdoor purification. Specifically, FST encourages feature shifts by actively deviating the classifier weights from the originally compromised weights. Extensive experiments demonstrate that our FST provides consistently stable performance under different attack settings. Without complex parameter adjustments, FST also achieves much lower tuning costs, only 10 epochs. Our codes are available at https://github.com/AISafety-HKUST/stable_backdoor_purification.