BadActs: A Universal Backdoor Defense in the Activation Space

TL;DR

This paper proposes a universal backdoor defense method that purifies backdoor samples in the activation space, effectively counteracting diverse triggers while maintaining high accuracy on clean data.

Contribution

It introduces a novel activation space purification approach and a detection module, improving robustness against backdoor attacks across various trigger types.

Findings

Effective removal of backdoor triggers in activation space

Maintains high clean data accuracy

Outperforms existing defenses in diverse scenarios

Abstract

Backdoor attacks pose an increasingly severe security threat to Deep Neural Networks (DNNs) during their development stage. In response, backdoor sample purification has emerged as a promising defense mechanism, aiming to eliminate backdoor triggers while preserving the integrity of the clean content in the samples. However, existing approaches have been predominantly focused on the word space, which are ineffective against feature-space triggers and significantly impair performance on clean data. To address this, we introduce a universal backdoor defense that purifies backdoor samples in the activation space by drawing abnormal activations towards optimized minimum clean activation distribution intervals. The advantages of our approach are twofold: (1) By operating in the activation space, our method captures from surface-level information like words to higher-level semantic concepts such as syntax, thus counteracting diverse triggers; (2) the fine-grained continuous nature of the activation space allows for more precise preservation of clean content while removing triggers. Furthermore, we propose a detection module based on statistical information of abnormal activations, to achieve a better trade-off between clean accuracy and defending performance.