Fusing Pruned and Backdoored Models: Optimal Transport-based Data-free Backdoor Mitigation

TL;DR

This paper introduces OTBR, a novel data-free backdoor mitigation method that fuses pruned and backdoored models using optimal transport, achieving superior defense performance without relying on clean or poisoned data.

Contribution

It proposes a new data-free backdoor defense technique based on optimal transport model fusion, combining pruned and backdoored models for improved security.

Findings

Successfully defends against seven backdoor attacks

Outperforms state-of-the-art data-free and data-dependent methods

Achieves high clean accuracy and low attack success rate

Abstract

Backdoor attacks present a serious security threat to deep neuron networks (DNNs). Although numerous effective defense techniques have been proposed in recent years, they inevitably rely on the availability of either clean or poisoned data. In contrast, data-free defense techniques have evolved slowly and still lag significantly in performance. To address this issue, different from the traditional approach of pruning followed by fine-tuning, we propose a novel data-free defense method named Optimal Transport-based Backdoor Repairing (OTBR) in this work. This method, based on our findings on neuron weight changes (NWCs) of random unlearning, uses optimal transport (OT)-based model fusion to combine the advantages of both pruned and backdoored models. Specifically, we first demonstrate our findings that the NWCs of random unlearning are positively correlated with those of poison unlearning. Based on this observation, we propose a random-unlearning NWC pruning technique to eliminate the backdoor effect and obtain a backdoor-free pruned model. Then, motivated by the OT-based model fusion, we propose the pruned-to-backdoored OT-based fusion technique, which fuses pruned and backdoored models to combine the advantages of both, resulting in a model that demonstrates high clean accuracy and a low attack success rate. To our knowledge, this is the first work to apply OT and model fusion techniques to backdoor defense. Extensive experiments show that our method successfully defends against all seven backdoor attacks across three benchmark datasets, outperforming both state-of-the-art (SOTA) data-free and data-dependent methods. The code implementation and Appendix are provided in the Supplementary Material.