DISTIL: Data-Free Inversion of Suspicious Trojan Inputs via Latent Diffusion

TL;DR

DISTIL introduces a data-free, diffusion-based method for accurately reconstructing Trojan triggers in neural networks, enhancing backdoor detection without requiring training data or strong trigger assumptions.

Contribution

It proposes a novel zero-shot, diffusion-guided trigger inversion technique that outperforms existing methods in identifying malicious triggers in neural networks.

Findings

Achieves up to 7.1% higher accuracy on BackdoorBench dataset.

Improves trojaned object detection model scanning by 9.4%.

Effectively distinguishes clean versus Trojaned models.

Abstract

Deep neural networks have demonstrated remarkable success across numerous tasks, yet they remain vulnerable to Trojan (backdoor) attacks, raising serious concerns about their safety in real-world mission-critical applications. A common countermeasure is trigger inversion -- reconstructing malicious "shortcut" patterns (triggers) inserted by an adversary during training. Current trigger-inversion methods typically search the full pixel space under specific assumptions but offer no assurances that the estimated trigger is more than an adversarial perturbation that flips the model output. Here, we propose a data-free, zero-shot trigger-inversion strategy that restricts the search space while avoiding strong assumptions on trigger appearance. Specifically, we incorporate a diffusion-based generator guided by the target classifier; through iterative generation, we produce candidate triggers that align with the internal representations the model relies on for malicious behavior. Empirical evaluations, both quantitative and qualitative, show that our approach reconstructs triggers that effectively distinguish clean versus Trojaned models. DISTIL surpasses alternative methods by high margins, achieving up to 7.1% higher accuracy on the BackdoorBench dataset and a 9.4% improvement on trojaned object detection model scanning, offering a promising new direction for reliable backdoor defense without reliance on extensive data or strong prior assumptions about triggers. The code is available at https://github.com/AdaptiveMotorControlLab/DISTIL.