Backdoor for Debias: Mitigating Model Bias with Backdoor Attack-based Artificial Bias

TL;DR

The paper tackles the problem of model bias in deep learning and critiques existing pre-, in-, and post-processing debiasing methods. It reveals that backdoor triggers can induce controllable artificial bias that resembles dataset-induced bias and leverages this insight to design BaDe, a two-stage debiasing framework using artificial bias injection guided by TAR(n) and subsequent knowledge distillation to produce a trigger-free student. The key contributions include establishing a link between backdoor signals and bias, proposing the BaDe framework with artificial bias injection and distillation, and validating on both image and structured datasets with strong debiasing performance and controllability of artificial bias. The approach demonstrates that backdoors can be repurposed for beneficial debiasing, preserving accuracy while reducing bias, with practical implications for fairness without sacrificing performance.

Abstract

With the swift advancement of deep learning, state-of-the-art algorithms have been utilized in various social situations. Nonetheless, some algorithms have been discovered to exhibit biases and provide unequal results. The current debiasing methods face challenges such as poor utilization of data or intricate training requirements. In this work, we found that the backdoor attack can construct an artificial bias similar to the model bias derived in standard training. Considering the strong adjustability of backdoor triggers, we are motivated to mitigate the model bias by carefully designing reverse artificial bias created from backdoor attack. Based on this, we propose a backdoor debiasing framework based on knowledge distillation, which effectively reduces the model bias from original data and minimizes security risks from the backdoor attack. The proposed solution is validated on both image and structured datasets, showing promising results. This work advances the understanding of backdoor attacks and highlights its potential for beneficial applications. The code for the study can be found at \url{https://anonymous.4open.science/r/DwB-BC07/}.

Figures (7)

• Figure 1: An overview of our proposed algorithm. We constructed the backdoor triggers to generate a gender-like bias, i.e., samples with $Blue\ Trigger$ preferred wearing lipstick, and samples with $Red\ Trigger$ did not tend to wear lipstick. In the test stage, let the male samples carry the $Blue\ Trigger$ and the female samples carry the $Red\ Trigger$ to obtain a fair output.
• Figure 2: Variation of trigger influence with changing injection ratio. X-axis is the proportion of changing the label in the image with the triggers, and y-axis is the accuracy gap between the clean samples and the samples with the triggers on the attacked model.
• Figure 3: A comparison of the effect of artificial bias and data bias on the model. X-axis is the model bias caused by the dataset, and y-axis is the artificial bias caused by backdoor triggers. The left figure shows the results using $Odds$ as an indicator, and the right figure shows the results using $EAcc.$ as an indicator.
• Figure 4: The framework diagram of our proposed method. The whole algorithm consists of two stages. In the first stage, the trigger is independently inserted into $\mathcal{D}_{backdoor}$ based on the calculated $TAR(n)$ to allow the model to learn an artificial bias that can mitigate the original bias attribute. In stage two, triggers are added to $\mathcal{D}_{balance}$ based on the original bias variables present that control the teacher model to output fair features. Model distillation is then utilized to teach the student model to learn these fair features.
• Figure 5: The impact of trigger injection ratio on algorithm performance. We traversed the influence of different $TAR(Have)$ and $TAR(Not\ Have)$ values. The left figure is the performance of the $Odds$, and the right figure is the performance of the $EAcc.$. X-axis is the value of $TAR(Have)$, and y-axis is the value of $TAR(Not\ Have)$. Figures (a) and (b) are the results of the $Attractive$ and $Gray\_Hair$ attributes when $Male$ is the bias variable, respectively.