TED-LaST: Towards Robust Backdoor Defense Against Adaptive Attacks

TL;DR

TED-LaST introduces a robust defense mechanism against adaptive backdoor attacks in DNNs by enhancing topological detection methods with label supervision and adaptive emphasis, effectively countering stealthy threats across multiple datasets and models.

Contribution

The paper proposes TED-LaST, a novel extension of TED that improves robustness against adaptive backdoor attacks through label-supervised dynamics and adaptive layer emphasis.

Findings

Effective detection of sophisticated backdoors like Adap-Blend and Adapt-Patch.

Outperforms existing defenses on CIFAR-10, GTSRB, and ImageNet100.

Sets new benchmarks for backdoor defense robustness.

Abstract

Deep Neural Networks (DNNs) are vulnerable to backdoor attacks, where attackers implant hidden triggers during training to maliciously control model behavior. Topological Evolution Dynamics (TED) has recently emerged as a powerful tool for detecting backdoor attacks in DNNs. However, TED can be vulnerable to backdoor attacks that adaptively distort topological representation distributions across network layers. To address this limitation, we propose TED-LaST (Topological Evolution Dynamics against Laundry, Slow release, and Target mapping attack strategies), a novel defense strategy that enhances TED's robustness against adaptive attacks. TED-LaST introduces two key innovations: label-supervised dynamics tracking and adaptive layer emphasis. These enhancements enable the identification of stealthy threats that evade traditional TED-based defenses, even in cases of inseparability in topological space and subtle topological perturbations. We review and classify data poisoning tricks in state-of-the-art adaptive attacks and propose enhanced adaptive attack with target mapping, which can dynamically shift malicious tasks and fully leverage the stealthiness that adaptive attacks possess. Our comprehensive experiments on multiple datasets (CIFAR-10, GTSRB, and ImageNet100) and model architectures (ResNet20, ResNet101) show that TED-LaST effectively counteracts sophisticated backdoors like Adap-Blend, Adapt-Patch, and the proposed enhanced adaptive attack. TED-LaST sets a new benchmark for robust backdoor detection, substantially enhancing DNN security against evolving threats.