Backdoor Defense via Decoupling the Training Process [article]

Kunzhe Huang, Yiming Li, Baoyuan Wu, Zhan Qin, Kui Ren
<span title="2022-02-05">2022</span> <i > arXiv </i> &nbsp; <span class="release-stage" >pre-print</span>
Recent studies have revealed that deep neural networks (DNNs) are vulnerable to backdoor attacks, where attackers embed hidden backdoors in the DNN model by poisoning a few training samples. The attacked model behaves normally on benign samples, whereas its prediction will be maliciously changed when the backdoor is activated. We reveal that poisoned samples tend to cluster together in the feature space of the attacked DNN model, which is mostly due to the end-to-end supervised training
more &raquo; ... . Inspired by this observation, we propose a novel backdoor defense via decoupling the original end-to-end training process into three stages. Specifically, we first learn the backbone of a DNN model via self-supervised learning based on training samples without their labels. The learned backbone will map samples with the same ground-truth label to similar locations in the feature space. Then, we freeze the parameters of the learned backbone and train the remaining fully connected layers via standard training with all (labeled) training samples. Lastly, to further alleviate side-effects of poisoned samples in the second stage, we remove labels of some 'low-credible' samples determined based on the learned model and conduct a semi-supervised fine-tuning of the whole model. Extensive experiments on multiple benchmark datasets and DNN models verify that the proposed defense is effective in reducing backdoor threats while preserving high accuracy in predicting benign samples. Our code is available at .
<span class="external-identifiers"> <a target="_blank" rel="external noopener" href="https://arxiv.org/abs/2202.03423v1">arXiv:2202.03423v1</a> <a target="_blank" rel="external noopener" href="https://fatcat.wiki/release/45sri7w5hvbpvede4iimri7jtq">fatcat:45sri7w5hvbpvede4iimri7jtq</a> </span>
<a target="_blank" rel="noopener" href="https://web.archive.org/web/20220210172141/https://arxiv.org/pdf/2202.03423v1.pdf" title="fulltext PDF download" data-goatcounter-click="serp-fulltext" data-goatcounter-title="serp-fulltext"> <button class="ui simple right pointing dropdown compact black labeled icon button serp-button"> <i class="icon ia-icon"></i> Web Archive [PDF] <div class="menu fulltext-thumbnail"> <img src="https://blobs.fatcat.wiki/thumbnail/pdf/6c/20/6c20a12376619a3119e53202692b091635ff03c5.180px.jpg" alt="fulltext thumbnail" loading="lazy"> </div> </button> </a> <a target="_blank" rel="external noopener" href="https://arxiv.org/abs/2202.03423v1" title="arxiv.org access"> <button class="ui compact blue labeled icon button serp-button"> <i class="file alternate outline icon"></i> arxiv.org </button> </a>