Flatness-aware Sequential Learning Generates Resilient Backdoors

TL;DR

This paper introduces a novel continual learning-based framework called Sequential Backdoor Learning (SBL) that creates resilient backdoors in neural networks, resistant to fine-tuning defenses, by seeking flatter regions in the loss landscape.

Contribution

The paper proposes SBL, a new method that leverages continual learning and sharpness-aware minimization to generate backdoors resistant to fine-tuning defenses.

Findings

SBL produces backdoors that withstand fine-tuning defenses.

Flatter backdoor regions improve resilience against model updates.

Empirical results confirm the effectiveness of SBL on benchmark datasets.

Abstract

Recently, backdoor attacks have become an emerging threat to the security of machine learning models. From the adversary's perspective, the implanted backdoors should be resistant to defensive algorithms, but some recently proposed fine-tuning defenses can remove these backdoors with notable efficacy. This is mainly due to the catastrophic forgetting (CF) property of deep neural networks. This paper counters CF of backdoors by leveraging continual learning (CL) techniques. We begin by investigating the connectivity between a backdoored and fine-tuned model in the loss landscape. Our analysis confirms that fine-tuning defenses, especially the more advanced ones, can easily push a poisoned model out of the backdoor regions, making it forget all about the backdoors. Based on this finding, we re-formulate backdoor training through the lens of CL and propose a novel framework, named Sequential Backdoor Learning (SBL), that can generate resilient backdoors. This framework separates the backdoor poisoning process into two tasks: the first task learns a backdoored model, while the second task, based on the CL principles, moves it to a backdoored region resistant to fine-tuning. We additionally propose to seek flatter backdoor regions via a sharpness-aware minimizer in the framework, further strengthening the durability of the implanted backdoor. Finally, we demonstrate the effectiveness of our method through extensive empirical experiments on several benchmark datasets in the backdoor domain. The source code is available at https://github.com/mail-research/SBL-resilient-backdoors