Towards Unified Robustness Against Both Backdoor and Adversarial Attacks

TL;DR

This paper uncovers a connection between backdoor and adversarial attacks in deep neural networks and proposes a unified defense method, PUD, that effectively mitigates both attack types through a progressive purification process.

Contribution

The paper introduces a novel Progressive Unified Defense (PUD) algorithm that jointly defends against backdoor and adversarial attacks, leveraging their intrinsic connection for improved robustness.

Findings

PUD effectively erases backdoors while enhancing adversarial robustness.

It outperforms state-of-the-art backdoor defense methods.

It can identify poisoned images even with imperfect datasets.

Abstract

Deep Neural Networks (DNNs) are known to be vulnerable to both backdoor and adversarial attacks. In the literature, these two types of attacks are commonly treated as distinct robustness problems and solved separately, since they belong to training-time and inference-time attacks respectively. However, this paper revealed that there is an intriguing connection between them: (1) planting a backdoor into a model will significantly affect the model's adversarial examples; (2) for an infected model, its adversarial examples have similar features as the triggered images. Based on these observations, a novel Progressive Unified Defense (PUD) algorithm is proposed to defend against backdoor and adversarial attacks simultaneously. Specifically, our PUD has a progressive model purification scheme to jointly erase backdoors and enhance the model's adversarial robustness. At the early stage, the adversarial examples of infected models are utilized to erase backdoors. With the backdoor gradually erased, our model purification can naturally turn into a stage to boost the model's robustness against adversarial attacks. Besides, our PUD algorithm can effectively identify poisoned images, which allows the initial extra dataset not to be completely clean. Extensive experimental results show that, our discovered connection between backdoor and adversarial attacks is ubiquitous, no matter what type of backdoor attack. The proposed PUD outperforms the state-of-the-art backdoor defense, including the model repairing-based and data filtering-based methods. Besides, it also has the ability to compete with the most advanced adversarial defense methods.