Backdoor Mitigation by Distance-Driven Detoxification

TL;DR

This paper introduces Distance-Driven Detoxification (D3), a novel post-training method that effectively mitigates backdoor attacks in pre-trained models by encouraging the model to move away from its initial weights, outperforming existing defenses.

Contribution

The paper proposes D3, a new backdoor mitigation technique formulated as a constrained optimization problem that enhances post-training detoxification effectiveness.

Findings

D3 often surpasses state-of-the-art defenses in experiments.

D3 effectively reduces backdoor influence across various models.

D3 maintains model accuracy on clean data.

Abstract

Backdoor attacks undermine the integrity of machine learning models by allowing attackers to manipulate predictions using poisoned training data. Such attacks lead to targeted misclassification when specific triggers are present, while the model behaves normally under other conditions. This paper considers a post-training backdoor defense task, aiming to detoxify the backdoors in pre-trained models. We begin by analyzing the underlying issues of vanilla fine-tuning and observe that it is often trapped in regions with low loss for both clean and poisoned samples. Motivated by such observations, we propose Distance-Driven Detoxification (D3), an innovative approach that reformulates backdoor defense as a constrained optimization problem. Specifically, D3 promotes the model's departure from the vicinity of its initial weights, effectively reducing the influence of backdoors. Extensive experiments on state-of-the-art (SOTA) backdoor attacks across various model architectures and datasets demonstrate that D3 not only matches but often surpasses the performance of existing SOTA post-training defense techniques.