PSBD: Prediction Shift Uncertainty Unlocks Backdoor Detection

TL;DR

The paper introduces PSBD, a novel backdoor detection method that leverages prediction shift uncertainty caused by neuron bias effects, requiring minimal unlabeled data and achieving state-of-the-art results.

Contribution

Proposes PSBD, a new backdoor detection technique based on prediction shift phenomenon and uncertainty measurement, with minimal data requirements.

Findings

PSBD effectively detects backdoor samples with high accuracy.

It outperforms existing detection methods in experiments.

Requires minimal unlabeled validation data.

Abstract

Deep neural networks are susceptible to backdoor attacks, where adversaries manipulate model predictions by inserting malicious samples into the training data. Currently, there is still a significant challenge in identifying suspicious training data to unveil potential backdoor samples. In this paper, we propose a novel method, Prediction Shift Backdoor Detection (PSBD), leveraging an uncertainty-based approach requiring minimal unlabeled clean validation data. PSBD is motivated by an intriguing Prediction Shift (PS) phenomenon, where poisoned models' predictions on clean data often shift away from true labels towards certain other labels with dropout applied during inference, while backdoor samples exhibit less PS. We hypothesize PS results from the neuron bias effect, making neurons favor features of certain classes. PSBD identifies backdoor training samples by computing the Prediction Shift Uncertainty (PSU), the variance in probability values when dropout layers are toggled on and off during model inference. Extensive experiments have been conducted to verify the effectiveness and efficiency of PSBD, which achieves state-of-the-art results among mainstream detection methods. The code is available at https://github.com/WL-619/PSBD.