CSC: Turning the Adversary's Poison against Itself

TL;DR

This paper introduces CSC, a novel defense against poisoning-based backdoor attacks that effectively detects and suppresses poisoned samples by leveraging early training dynamics and clustering, significantly reducing attack success rates.

Contribution

The paper presents a new poison suppression method, Cluster Segregation Concealment (CSC), which identifies poisoned samples early and relabels them to maintain model accuracy while eliminating backdoors.

Findings

CSC reduces attack success rates to near zero across multiple datasets.

CSC outperforms nine state-of-the-art defenses in empirical evaluations.

Minimal accuracy loss on clean data demonstrates CSC's effectiveness and robustness.

Abstract

Poisoning-based backdoor attacks pose significant threats to deep neural networks by embedding triggers in training data, causing models to misclassify triggered inputs as adversary-specified labels while maintaining performance on clean data. Existing poison restraint-based defenses often suffer from inadequate detection against specific attack variants and compromise model utility through unlearning methods that lead to accuracy degradation. This paper conducts a comprehensive analysis of backdoor attack dynamics during model training, revealing that poisoned samples form isolated clusters in latent space early on, with triggers acting as dominant features distinct from benign ones. Leveraging these insights, we propose Cluster Segregation Concealment (CSC), a novel poison suppression defense. CSC first trains a deep neural network via standard supervised learning while segregating poisoned samples through feature extraction from early epochs, DBSCAN clustering, and identification of anomalous clusters based on class diversity and density metrics. In the concealment stage, identified poisoned samples are relabeled to a virtual class, and the model's classifier is fine-tuned using cross-entropy loss to replace the backdoor association with a benign virtual linkage, preserving overall accuracy. CSC was evaluated on four benchmark datasets against twelve poisoning-based attacks, CSC outperforms nine state-of-the-art defenses by reducing average attack success rates to near zero with minimal clean accuracy loss. Contributions include robust backdoor patterns identification, an effective concealment mechanism, and superior empirical validation, advancing trustworthy artificial intelligence.