Unveiling and Mitigating Backdoor Vulnerabilities based on Unlearning Weight Changes and Backdoor Activeness

TL;DR

This paper investigates backdoor vulnerabilities in deep neural networks by analyzing weight changes and neuron activity during unlearning, proposing a two-stage defense method that outperforms existing approaches.

Contribution

It introduces a novel backdoor defense method based on weight change analysis and neuron activeness, without requiring poisoned data, and demonstrates its effectiveness through extensive experiments.

Findings

Weight changes correlate between poison and clean unlearning, enabling backdoor neuron identification.

Backdoored neurons exhibit higher activity, suggesting suppression during fine-tuning.

Proposed method outperforms recent state-of-the-art defenses on multiple datasets.

Abstract

The security threat of backdoor attacks is a central concern for deep neural networks (DNNs). Recently, without poisoned data, unlearning models with clean data and then learning a pruning mask have contributed to backdoor defense. Additionally, vanilla fine-tuning with those clean data can help recover the lost clean accuracy. However, the behavior of clean unlearning is still under-explored, and vanilla fine-tuning unintentionally induces back the backdoor effect. In this work, we first investigate model unlearning from the perspective of weight changes and gradient norms, and find two interesting observations in the backdoored model: 1) the weight changes between poison and clean unlearning are positively correlated, making it possible for us to identify the backdoored-related neurons without using poisoned data; 2) the neurons of the backdoored model are more active (i.e., larger changes in gradient norm) than those in the clean model, suggesting the need to suppress the gradient norm during fine-tuning. Then, we propose an effective two-stage defense method. In the first stage, an efficient Neuron Weight Change (NWC)-based Backdoor Reinitialization is proposed based on observation 1). In the second stage, based on observation 2), we design an Activeness-Aware Fine-Tuning to replace the vanilla fine-tuning. Extensive experiments, involving eight backdoor attacks on three benchmark datasets, demonstrate the superior performance of our proposed method compared to recent state-of-the-art backdoor defense approaches.