CatchBackdoor: Backdoor Detection via Critical Trojan Neural Path Fuzzing
Haibo Jin, Ruoxi Chen, Jinyin Chen, Haibin Zheng, Yang Zhang, Haohan Wang
TL;DR
CatchBackdoor introduces a neural-path perspective to backdoor detection by identifying a benign path and fuzzing toward a critical trojan path, then reverse-engineering a trigger to test for trojaned models using the label-change rate (LCR). It demonstrates data-free, trigger-size-agnostic detection across MNIST, CIFAR-10, and a-ImageNet with LeNet, AlexNet, ResNet, and VGG family models, against 11 attack types including defense adaptive variants. The method consistently outperforms state-of-the-art baselines, achieves high AUC around 0.9 across reasonable thresholds, and remains effective under adaptive attacks while supporting model zoo evaluation and potential post hoc retraining for hardening. These results imply a practical, scalable approach to securing pre-trained models and downstream deployments in real-world pipelines.
Abstract
The success of deep neural networks (DNNs) in real-world applications has benefited from abundant pre-trained models. However, the backdoored pre-trained models can pose a significant trojan threat to the deployment of downstream DNNs. Numerous backdoor detection methods have been proposed but are limited to two aspects: (1) high sensitivity on trigger size, especially on stealthy attacks (i.e., blending attacks and defense adaptive attacks); (2) rely heavily on benign examples for reverse engineering. To address these challenges, we empirically observed that trojaned behaviors triggered by various trojan attacks can be attributed to the trojan path, composed of top-$k$ critical neurons with more significant contributions to model prediction changes. Motivated by it, we propose CatchBackdoor, a detection method against trojan attacks. Based on the close connection between trojaned behaviors and trojan path to trigger errors, CatchBackdoor starts from the benign path and gradually approximates the trojan path through differential fuzzing. We then reverse triggers from the trojan path, to trigger errors caused by diverse trojaned attacks. Extensive experiments on MINST, CIFAR-10, and a-ImageNet datasets and 7 models (LeNet, ResNet, and VGG) demonstrate the superiority of CatchBackdoor over the state-of-the-art methods, in terms of (1) \emph{effective} - it shows better detection performance, especially on stealthy attacks ($\sim$ $\times$ 2 on average); (2) \emph{extensible} - it is robust to trigger size and can conduct detection without benign examples.
