Isolate Trigger: Detecting and Eliminating Adaptive Backdoor Attacks

TL;DR

This paper introduces Isolate Trigger (IsTr), a novel framework for detecting and mitigating adaptive backdoor attacks in deep learning models, effectively handling complex trigger patterns entangled with benign features.

Contribution

IsTr is the first comprehensive method to detect and eliminate adaptive backdoors entangled with benign features, outperforming existing defenses in accuracy and efficiency.

Findings

Achieves over 95% detection accuracy in various scenarios.

Reduces detection overhead by an order of magnitude.

Maintains low attack success rate below 3% after repair.

Abstract

Deep learning models are widely deployed in various applications but remain vulnerable to stealthy adversarial threats, particularly backdoor attacks. Backdoor models trained on poisoned datasets behave normally with clean inputs but cause mispredictions when a specific trigger is present. Most existing backdoor defenses assume that adversaries only inject one backdoor with small and conspicuous triggers. However, adaptive backdoor that entangle multiple trigger patterns with benign features can effectively bypass existing defenses. To defend against these attacks, we propose Isolate Trigger (IsTr), an accurate and efficient framework for backdoor detection and mitigation. IsTr aims to eliminate the influence of benign features and reverse hidden triggers. IsTr is motivated by the observation that a model's feature extractor focuses more on benign features while its classifier focuses more on trigger patterns. Based on this difference, IsTr designs Steps and Differential-Middle-Slice to resolve the detecting challenge of isolating triggers from benign features. Moreover, IsTr employs unlearning-based repair to remove both attacker-injected and natural backdoors while maintaining model benign accuracy. We extensively evaluate IsTr against six representative backdoor attacks and compare with seven state-of-the-art baseline methods across three real-world applications: digit recognition, face recognition, and traffic sign recognition. In most cases, IsTr reduces detection overhead by an order of magnitude while achieving over 95\% detection accuracy and maintaining the post-repair attack success rate below 3\%, outperforming baseline defenses. IsTr remains robust against various adaptive attacks, even when trigger patterns are heavily entangled with benign features.