Backdoor Defense via Adaptively Splitting Poisoned Dataset
- URL: http://arxiv.org/abs/2303.12993v1
- Date: Thu, 23 Mar 2023 02:16:38 GMT
- Title: Backdoor Defense via Adaptively Splitting Poisoned Dataset
- Authors: Kuofeng Gao, Yang Bai, Jindong Gu, Yong Yang, Shu-Tao Xia
- Abstract summary: Backdoor defenses have been studied to alleviate the threat of deep neural networks (DNNs) being backdoor attacked and maliciously altered.
We argue that the core of training-time defense is to select poisoned samples and to handle them properly.
Under our framework, we propose an adaptively splitting dataset-based defense (ASD)
- Score: 57.70673801469096
- License: http://arxiv.org/licenses/nonexclusive-distrib/1.0/
- Abstract: Backdoor defenses have been studied to alleviate the threat of deep neural
networks (DNNs) being backdoor attacked and thus maliciously altered. Since
DNNs usually adopt some external training data from an untrusted third party, a
robust backdoor defense strategy during the training stage is of importance. We
argue that the core of training-time defense is to select poisoned samples and
to handle them properly. In this work, we summarize the training-time defenses
from a unified framework as splitting the poisoned dataset into two data pools.
Under our framework, we propose an adaptively splitting dataset-based defense
(ASD). Concretely, we apply loss-guided split and meta-learning-inspired split
to dynamically update two data pools. With the split clean data pool and
polluted data pool, ASD successfully defends against backdoor attacks during
training. Extensive experiments on multiple benchmark datasets and DNN models
against six state-of-the-art backdoor attacks demonstrate the superiority of
our ASD. Our code is available at https://github.com/KuofengGao/ASD.
Related papers
- Mitigating Backdoor Attack by Injecting Proactive Defensive Backdoor [63.84477483795964]
Data-poisoning backdoor attacks are serious security threats to machine learning models.
In this paper, we focus on in-training backdoor defense, aiming to train a clean model even when the dataset may be potentially poisoned.
We propose a novel defense approach called PDB (Proactive Defensive Backdoor)
arXiv Detail & Related papers (2024-05-25T07:52:26Z) - Efficient Backdoor Attacks for Deep Neural Networks in Real-world Scenarios [17.928013313779516]
Recent deep neural networks (DNNs) have come to rely on vast amounts of training data.
In this paper, we introduce a more realistic attack scenario where victims collect data from multiple sources.
We introduce three CLIP-based technologies from two distinct streams: Clean Feature Suppression and Poisoning Feature Augmentation.
arXiv Detail & Related papers (2023-06-14T09:21:48Z) - NCL: Textual Backdoor Defense Using Noise-augmented Contrastive Learning [14.537250979495596]
We propose a Noise-augmented Contrastive Learning framework to defend against textual backdoor attacks.
Experiments demonstrate the effectiveness of our method in defending three types of textual backdoor attacks, outperforming the prior works.
arXiv Detail & Related papers (2023-03-03T07:07:04Z) - BackdoorBox: A Python Toolbox for Backdoor Learning [67.53987387581222]
This Python toolbox implements representative and advanced backdoor attacks and defenses.
It allows researchers and developers to easily implement and compare different methods on benchmark or their local datasets.
arXiv Detail & Related papers (2023-02-01T09:45:42Z) - COLLIDER: A Robust Training Framework for Backdoor Data [11.510009152620666]
Deep neural network (DNN) classifiers are vulnerable to backdoor attacks.
An adversary poisons some of the training data in such attacks by installing a trigger.
Various approaches have recently been proposed to detect malicious backdoored DNNs.
arXiv Detail & Related papers (2022-10-13T03:48:46Z) - Towards a Defense against Backdoor Attacks in Continual Federated
Learning [26.536009090970257]
We propose a novel framework for defending against backdoor attacks in the federated continual learning setting.
Our framework trains two models in parallel: a backbone model and a shadow model.
We show experimentally that our framework significantly improves upon existing defenses against backdoor attacks.
arXiv Detail & Related papers (2022-05-24T03:04:21Z) - On the Effectiveness of Adversarial Training against Backdoor Attacks [111.8963365326168]
A backdoored model always predicts a target class in the presence of a predefined trigger pattern.
In general, adversarial training is believed to defend against backdoor attacks.
We propose a hybrid strategy which provides satisfactory robustness across different backdoor attacks.
arXiv Detail & Related papers (2022-02-22T02:24:46Z) - Anti-Backdoor Learning: Training Clean Models on Poisoned Data [17.648453598314795]
Backdoor attack has emerged as a major security threat to deep neural networks (DNNs)
We introduce the concept of emphanti-backdoor learning, aiming to train emphclean models given backdoor-poisoned data.
We empirically show that ABL-trained models on backdoor-poisoned data achieve the same performance as they were trained on purely clean data.
arXiv Detail & Related papers (2021-10-22T03:30:48Z) - Black-box Detection of Backdoor Attacks with Limited Information and
Data [56.0735480850555]
We propose a black-box backdoor detection (B3D) method to identify backdoor attacks with only query access to the model.
In addition to backdoor detection, we also propose a simple strategy for reliable predictions using the identified backdoored models.
arXiv Detail & Related papers (2021-03-24T12:06:40Z) - Backdoor Learning: A Survey [75.59571756777342]
Backdoor attack intends to embed hidden backdoor into deep neural networks (DNNs)
Backdoor learning is an emerging and rapidly growing research area.
This paper presents the first comprehensive survey of this realm.
arXiv Detail & Related papers (2020-07-17T04:09:20Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.