Kill it with FIRE: On Leveraging Latent Space Directions for Runtime Backdoor Mitigation in Deep Neural Networks

TL;DR

This paper introduces FIRE, a novel inference-time method that neutralizes backdoor triggers in neural networks by manipulating latent space directions, offering an efficient and effective solution for deployed models.

Contribution

We propose FIRE, a new approach that mitigates backdoors at inference time by reversing trigger effects in latent space, outperforming existing methods across multiple benchmarks.

Findings

FIRE effectively neutralizes backdoor triggers in neural networks.

FIRE outperforms existing runtime mitigation techniques in accuracy and efficiency.

FIRE has low computational overhead and works across various datasets and architectures.

Abstract

Machine learning models are increasingly present in our everyday lives; as a result, they become targets of adversarial attackers seeking to manipulate the systems we interact with. A well-known vulnerability is a backdoor introduced into a neural network by poisoned training data or a malicious training process. Backdoors can be used to induce unwanted behavior by including a certain trigger in the input. Existing mitigations filter training data, modify the model, or perform expensive input modifications on samples. If a vulnerable model has already been deployed, however, those strategies are either ineffective or inefficient. To address this gap, we propose our inference-time backdoor mitigation approach called FIRE (Feature-space Inference-time REpair). We hypothesize that a trigger induces structured and repeatable changes in the model's internal representation. We view the trigger as directions in the latent spaces between layers that can be applied in reverse to correct the inference mechanism. Therefore, we turn the backdoored model against itself by manipulating its latent representations and moving a poisoned sample's features along the backdoor directions to neutralize the trigger. Our evaluation shows that FIRE has low computational overhead and outperforms current runtime mitigations on image benchmarks across various attacks, datasets, and network architectures.