Leveraging Diffusion-Based Image Variations for Robust Training on Poisoned Data

TL;DR

This paper introduces a method using diffusion models to generate synthetic data variations and improve the robustness of neural networks against backdoor attacks, enabling safer training on potentially poisoned datasets.

Contribution

It presents a novel approach combining diffusion-based data augmentation with knowledge distillation to enhance backdoor resistance in neural network training.

Findings

Synthetic data variations improve backdoor detection

Models trained with this method resist trigger activation

Approach maintains high task performance

Abstract

Backdoor attacks pose a serious security threat for training neural networks as they surreptitiously introduce hidden functionalities into a model. Such backdoors remain silent during inference on clean inputs, evading detection due to inconspicuous behavior. However, once a specific trigger pattern appears in the input data, the backdoor activates, causing the model to execute its concealed function. Detecting such poisoned samples within vast datasets is virtually impossible through manual inspection. To address this challenge, we propose a novel approach that enables model training on potentially poisoned datasets by utilizing the power of recent diffusion models. Specifically, we create synthetic variations of all training samples, leveraging the inherent resilience of diffusion models to potential trigger patterns in the data. By combining this generative approach with knowledge distillation, we produce student models that maintain their general performance on the task while exhibiting robust resistance to backdoor triggers.