Quantization Blindspots: How Model Compression Breaks Backdoor Defenses

TL;DR

This paper reveals that standard quantization practices in neural network deployment significantly undermine the effectiveness of existing backdoor defenses, exposing a critical gap in current evaluation methods.

Contribution

It systematically studies the impact of quantization on backdoor defenses, highlighting the need to consider quantization robustness in defense evaluation and design.

Findings

INT8 quantization reduces detection rates to 0%

Backdoors remain effective with high attack success rates after quantization

Defense effectiveness varies with dataset and quantization level

Abstract

Backdoor attacks embed input-dependent malicious behavior into neural networks while preserving high clean accuracy, making them a persistent threat for deployed ML systems. At the same time, real-world deployments almost never serve full-precision models: post-training quantization to INT8 or lower precision is now standard practice for reducing memory and latency. This work asks a simple question: how do existing backdoor defenses behave under standard quantization pipelines? We conduct a systematic empirical study of five representative defenses across three precision settings (FP32, INT8 dynamic, INT4 simulated) and two standard vision benchmarks using a canonical BadNet attack. We observe that INT8 quantization reduces the detection rate of all evaluated defenses to 0% while leaving attack success rates above 99%. For INT4, we find a pronounced dataset dependence: Neural Cleanse remains effective on GTSRB but fails on CIFAR-10, even though backdoors continue to survive quantization with attack success rates above 90%. Our results expose a mismatch between how defenses are commonly evaluated (on FP32 models) and how models are actually deployed (in quantized form), and they highlight quantization robustness as a necessary axis in future evaluations and designs of backdoor defenses.