Defending Deep Regression Models against Backdoor Attacks

TL;DR

This paper introduces DRMGuard, a novel method to detect backdoor attacks in deep regression models by leveraging their unique output and feature space properties, outperforming existing defenses.

Contribution

The paper presents DRMGuard, the first defense specifically designed for deep regression models to identify backdoor attacks, addressing limitations of classification-based defenses.

Findings

DRMGuard effectively detects backdoor attacks in regression models.

It outperforms four state-of-the-art defenses across multiple datasets.

The approach is validated on two regression tasks with extensive evaluations.

Abstract

Deep regression models are used in a wide variety of safety-critical applications, but are vulnerable to backdoor attacks. Although many defenses have been proposed for classification models, they are ineffective as they do not consider the uniqueness of regression models. First, the outputs of regression models are continuous values instead of discretized labels. Thus, the potential infected target of a backdoored regression model has infinite possibilities, which makes it impossible to be determined by existing defenses. Second, the backdoor behavior of backdoored deep regression models is triggered by the activation values of all the neurons in the feature space, which makes it difficult to be detected and mitigated using existing defenses. To resolve these problems, we propose DRMGuard, the first defense to identify if a deep regression model in the image domain is backdoored or not. DRMGuard formulates the optimization problem for reverse engineering based on the unique output-space and feature-space characteristics of backdoored deep regression models. We conduct extensive evaluations on two regression tasks and four datasets. The results show that DRMGuard can consistently defend against various backdoor attacks. We also generalize four state-of-the-art defenses designed for classifiers to regression models, and compare DRMGuard with them. The results show that DRMGuard significantly outperforms all those defenses.