Gradient Norm-based Fine-Tuning for Backdoor Defense in Automatic Speech Recognition

TL;DR

This paper introduces Gradient Norm-based Fine-Tuning (GN-FT), a novel defense method against backdoor attacks in speech recognition models, leveraging gradient analysis to effectively weaken backdoored neurons and improve security.

Contribution

It presents the first specialized defense for backdoor attacks in the audio domain, utilizing gradient norm regularization to effectively mitigate backdoors in speech recognition models.

Findings

GN-FT effectively reduces backdoor influence in speech models.

Backdoored neurons exhibit higher gradient norms than clean neurons.

Experimental results show superior performance across datasets and models.

Abstract

Backdoor attacks have posed a significant threat to the security of deep neural networks (DNNs). Despite considerable strides in developing defenses against backdoor attacks in the visual domain, the specialized defenses for the audio domain remain empty. Furthermore, the defenses adapted from the visual to audio domain demonstrate limited effectiveness. To fill this gap, we propose Gradient Norm-based FineTuning (GN-FT), a novel defense strategy against the attacks in the audio domain, based on the observation from the corresponding backdoored models. Specifically, we first empirically find that the backdoored neurons exhibit greater gradient values compared to other neurons, while clean neurons stay the lowest. On this basis, we fine-tune the backdoored model by incorporating the gradient norm regularization, aiming to weaken and reduce the backdoored neurons. We further approximate the loss computation for lower implementation costs. Extensive experiments on two speech recognition datasets across five models demonstrate the superior performance of our proposed method. To the best of our knowledge, this work is the first specialized and effective defense against backdoor attacks in the audio domain.