Trojan Cleansing with Neural Collapse

TL;DR

This paper links Trojan attacks to Neural Collapse phenomena, showing how attacks disrupt neural network convergence and proposing a new, effective method for Trojan cleansing across various architectures.

Contribution

It introduces a novel connection between Trojan attacks and Neural Collapse, and develops a lightweight, generalizable cleansing method based on this insight.

Findings

Trojan attacks disrupt Neural Collapse in neural networks.

The proposed cleansing method effectively removes Trojan triggers.

Experimental results demonstrate broad applicability and success.

Abstract

Trojan attacks are sophisticated training-time attacks on neural networks that embed backdoor triggers which force the network to produce a specific output on any input which includes the trigger. With the increasing relevance of deep networks which are too large to train with personal resources and which are trained on data too large to thoroughly audit, these training-time attacks pose a significant risk. In this work, we connect trojan attacks to Neural Collapse, a phenomenon wherein the final feature representations of over-parameterized neural networks converge to a simple geometric structure. We provide experimental evidence that trojan attacks disrupt this convergence for a variety of datasets and architectures. We then use this disruption to design a lightweight, broadly generalizable mechanism for cleansing trojan attacks from a wide variety of different network architectures and experimentally demonstrate its efficacy.