Table of Contents
Fetching ...

CatchBackdoor: Backdoor Detection via Critical Trojan Neural Path Fuzzing

Haibo Jin, Ruoxi Chen, Jinyin Chen, Haibin Zheng, Yang Zhang, Haohan Wang

TL;DR

CatchBackdoor introduces a neural-path perspective to backdoor detection by identifying a benign path and fuzzing toward a critical trojan path, then reverse-engineering a trigger to test for trojaned models using the label-change rate (LCR). It demonstrates data-free, trigger-size-agnostic detection across MNIST, CIFAR-10, and a-ImageNet with LeNet, AlexNet, ResNet, and VGG family models, against 11 attack types including defense adaptive variants. The method consistently outperforms state-of-the-art baselines, achieves high AUC around 0.9 across reasonable thresholds, and remains effective under adaptive attacks while supporting model zoo evaluation and potential post hoc retraining for hardening. These results imply a practical, scalable approach to securing pre-trained models and downstream deployments in real-world pipelines.

Abstract

The success of deep neural networks (DNNs) in real-world applications has benefited from abundant pre-trained models. However, the backdoored pre-trained models can pose a significant trojan threat to the deployment of downstream DNNs. Numerous backdoor detection methods have been proposed but are limited to two aspects: (1) high sensitivity on trigger size, especially on stealthy attacks (i.e., blending attacks and defense adaptive attacks); (2) rely heavily on benign examples for reverse engineering. To address these challenges, we empirically observed that trojaned behaviors triggered by various trojan attacks can be attributed to the trojan path, composed of top-$k$ critical neurons with more significant contributions to model prediction changes. Motivated by it, we propose CatchBackdoor, a detection method against trojan attacks. Based on the close connection between trojaned behaviors and trojan path to trigger errors, CatchBackdoor starts from the benign path and gradually approximates the trojan path through differential fuzzing. We then reverse triggers from the trojan path, to trigger errors caused by diverse trojaned attacks. Extensive experiments on MINST, CIFAR-10, and a-ImageNet datasets and 7 models (LeNet, ResNet, and VGG) demonstrate the superiority of CatchBackdoor over the state-of-the-art methods, in terms of (1) \emph{effective} - it shows better detection performance, especially on stealthy attacks ($\sim$ $\times$ 2 on average); (2) \emph{extensible} - it is robust to trigger size and can conduct detection without benign examples.

CatchBackdoor: Backdoor Detection via Critical Trojan Neural Path Fuzzing

TL;DR

CatchBackdoor introduces a neural-path perspective to backdoor detection by identifying a benign path and fuzzing toward a critical trojan path, then reverse-engineering a trigger to test for trojaned models using the label-change rate (LCR). It demonstrates data-free, trigger-size-agnostic detection across MNIST, CIFAR-10, and a-ImageNet with LeNet, AlexNet, ResNet, and VGG family models, against 11 attack types including defense adaptive variants. The method consistently outperforms state-of-the-art baselines, achieves high AUC around 0.9 across reasonable thresholds, and remains effective under adaptive attacks while supporting model zoo evaluation and potential post hoc retraining for hardening. These results imply a practical, scalable approach to securing pre-trained models and downstream deployments in real-world pipelines.

Abstract

The success of deep neural networks (DNNs) in real-world applications has benefited from abundant pre-trained models. However, the backdoored pre-trained models can pose a significant trojan threat to the deployment of downstream DNNs. Numerous backdoor detection methods have been proposed but are limited to two aspects: (1) high sensitivity on trigger size, especially on stealthy attacks (i.e., blending attacks and defense adaptive attacks); (2) rely heavily on benign examples for reverse engineering. To address these challenges, we empirically observed that trojaned behaviors triggered by various trojan attacks can be attributed to the trojan path, composed of top- critical neurons with more significant contributions to model prediction changes. Motivated by it, we propose CatchBackdoor, a detection method against trojan attacks. Based on the close connection between trojaned behaviors and trojan path to trigger errors, CatchBackdoor starts from the benign path and gradually approximates the trojan path through differential fuzzing. We then reverse triggers from the trojan path, to trigger errors caused by diverse trojaned attacks. Extensive experiments on MINST, CIFAR-10, and a-ImageNet datasets and 7 models (LeNet, ResNet, and VGG) demonstrate the superiority of CatchBackdoor over the state-of-the-art methods, in terms of (1) \emph{effective} - it shows better detection performance, especially on stealthy attacks ( 2 on average); (2) \emph{extensible} - it is robust to trigger size and can conduct detection without benign examples.
Paper Structure (46 sections, 11 equations, 19 figures, 11 tables, 2 algorithms)

This paper contains 46 sections, 11 equations, 19 figures, 11 tables, 2 algorithms.

Figures (19)

  • Figure 1: Neural paths simulated by benign and trojaned examples. Dataset: 3-class ImageNet subset; Attack: BadNets (trojan rate=0.1); Target Classification: "Tabby Cat." The bars, colored in green, blue, and orange, represent the average neuron contribution and activation frequency within the model's second layer, transitioning from benign to trojan states.
  • Figure 1: Illustration of benign path, critical trojan path, and trojan path.
  • Figure 2: The framework of CatchBackdoor: A benign seed (random noise or benign input) is input to the DNN to create a benign neural path. We then fuzz this path by maximizing neuron contribution, converging to a critical trojan path, which generates testing examples. A batch of benign seeds yields the same number of testing examples. These, along with the benign seeds, are fed into the DNN. CatchBackdoor determines if the model is trojaned by calculating the label change rate (LCR); a higher LCR indicates a higher probability of being trojaned.
  • Figure 2: The activation value and frequency activated by benign examples, trojaned examples, and testing examples by CatchBackdoor.
  • Figure 3: The proportion of different prediction classes.
  • ...and 14 more figures