Revisiting the Auxiliary Data in Backdoor Purification

TL;DR

This paper evaluates the dependence of backdoor purification techniques on auxiliary dataset quality and introduces Guided Input Calibration (GIC), a learnable transformation method that improves purification effectiveness across various auxiliary data types.

Contribution

The study reveals the impact of auxiliary dataset quality on purification success and proposes GIC, a novel method that enhances purification by aligning auxiliary data with the training set.

Findings

High-quality in-distribution datasets are crucial for effective purification.

Out-of-distribution auxiliary datasets significantly reduce purification performance.

GIC improves purification results across diverse auxiliary datasets.

Abstract

Backdoor attacks occur when an attacker subtly manipulates machine learning models during the training phase, leading to unintended behaviors when specific triggers are present. To mitigate such emerging threats, a prevalent strategy is to cleanse the victim models by various backdoor purification techniques. Despite notable achievements, current state-of-the-art (SOTA) backdoor purification techniques usually rely on the availability of a small clean dataset, often referred to as auxiliary dataset. However, acquiring an ideal auxiliary dataset poses significant challenges in real-world applications. This study begins by assessing the SOTA backdoor purification techniques across different types of real-world auxiliary datasets. Our findings indicate that the purification effectiveness fluctuates significantly depending on the type of auxiliary dataset used. Specifically, a high-quality in-distribution auxiliary dataset is essential for effective purification, whereas datasets from varied or out-of-distribution sources significantly degrade the defensive performance. Based on this, we propose Guided Input Calibration (GIC), which aims to improve purification efficacy by employing a learnable transformation. Guided by the victim model itself, GIC aligns the characteristics of the auxiliary dataset with those of the original training set. Comprehensive experiments demonstrate that GIC can substantially enhance purification performance across diverse types of auxiliary datasets. The code and data will be available via https://github.com/shawkui/BackdoorBenchER.