SifterNet: A Generalized and Model-Agnostic Trigger Purification Approach

TL;DR

SifterNet is a versatile, model-agnostic defense method against backdoor attacks in neural networks, utilizing the Ising model and Hopfield networks to effectively purify triggers without prior model knowledge.

Contribution

It introduces a novel, generalized trigger purification approach using the Ising model and Hopfield networks, enabling black-box defense against backdoor attacks.

Findings

Effective trigger purification demonstrated across multiple datasets.

Outperforms state-of-the-art baselines in accuracy and robustness.

Operates without requiring model access or retraining.

Abstract

Aiming at resisting backdoor attacks in convolution neural networks and vision Transformer-based large model, this paper proposes a generalized and model-agnostic trigger-purification approach resorting to the classic Ising model. To date, existing trigger detection/removal studies usually require to know the detailed knowledge of target model in advance, access to a large number of clean samples or even model-retraining authorization, which brings the huge inconvenience for practical applications, especially inaccessible to target model. An ideal countermeasure ought to eliminate the implanted trigger without regarding whatever the target models are. To this end, a lightweight and black-box defense approach SifterNet is proposed through leveraging the memorization-association functionality of Hopfield network, by which the triggers of input samples can be effectively purified in a proper manner. The main novelty of our proposed approach lies in the introduction of ideology of Ising model. Extensive experiments also validate the effectiveness of our approach in terms of proper trigger purification and high accuracy achievement, and compared to the state-of-the-art baselines under several commonly-used datasets, our SiferNet has a significant superior performance.