Lite-BD: A Lightweight Black-box Backdoor Defense via Reviving Multi-Stage Image Transformations

TL;DR

Lite-BD is a lightweight, two-stage black-box defense for DNN backdoor attacks that uses image transformations, including super-resolution and frequency filtering, to neutralize triggers effectively.

Contribution

The paper introduces Lite-BD, a novel two-stage black-box backdoor defense combining spatial and frequency transformations, with justified design choices and improved efficiency.

Findings

Effective disruption of backdoor triggers with down-upscaling.

Frequency filtering further removes hidden triggers.

Robust performance against state-of-the-art attacks.

Abstract

Deep Neural Networks (DNNs) are vulnerable to backdoor attacks. Due to the nature of Machine Learning as a Service (MLaaS) applications, black-box defenses are more practical than white-box methods, yet existing purification techniques suffer from key limitations: a lack of justification for specific transformations, dataset dependency, high computational overhead, and a neglect of frequency-domain transformations. This paper conducts a preliminary study on various image transformations, identifying down-upscaling as the most effective backdoor trigger disruption technique. We subsequently propose \texttt{Lite-BD}, a lightweight two-stage blackbox backdoor defense. \texttt{Lite-BD} first employs a super-resolution-based down-upscaling stage to neutralize spatial triggers. A secondary stage utilizes query-based band-by-band frequency filtering to remove triggers hidden in specific bands. Extensive experiments against state-of-the-art attacks demonstrate that \texttt{Lite-BD} provides robust and efficient protection. Codes can be found at https://github.com/SiSL-URI/Lite-BD.