Variance-Based Defense Against Blended Backdoor Attacks

TL;DR

This paper introduces a variance-based defense method for backdoor attacks that detects poisoned classes and extracts attack triggers, improving explainability and effectiveness without relying on clean datasets.

Contribution

The proposed method uniquely detects poisoned classes and extracts attack triggers, enhancing explainability and robustness against backdoor attacks without needing clean data.

Findings

Effective detection of poisoned classes in experiments

Successful extraction of attack triggers

Outperforms state-of-the-art defenses

Abstract

Backdoor attacks represent a subtle yet effective class of cyberattacks targeting AI models, primarily due to their stealthy nature. The model behaves normally on clean data but exhibits malicious behavior only when the attacker embeds a specific trigger into the input. This attack is performed during the training phase, where the adversary corrupts a small subset of the training data by embedding a pattern and modifying the labels to a chosen target. The objective is to make the model associate the pattern with the target label while maintaining normal performance on unaltered data. Several defense mechanisms have been proposed to sanitize training data-sets. However, these methods often rely on the availability of a clean dataset to compute statistical anomalies, which may not always be feasible in real-world scenarios where datasets can be unavailable or compromised. To address this limitation, we propose a novel defense method that trains a model on the given dataset, detects poisoned classes, and extracts the critical part of the attack trigger before identifying the poisoned instances. This approach enhances explainability by explicitly revealing the harmful part of the trigger. The effectiveness of our method is demonstrated through experimental evaluations on well-known image datasets and comparative analysis against three state-of-the-art algorithms: SCAn, ABL, and AGPD.