Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Backdoor Secrets Unveiled: Identifying Backdoor Data with Optimized Scaled Prediction Consistency

Soumyadeep Pal, Yuguang Yao, Ren Wang, Bingquan Shen, Sijia Liu

TL;DR

This work tackles the practical problem of identifying backdoor data within poisoned datasets without access to clean data or predefined detection thresholds. It extends the scaled prediction consistency (SPC) signature by introducing mask-aware SPC (MSPC) and a bi-level optimization scheme to automatically split data into backdoor and clean sets. The approach leverages a learnable mask to preserve the trigger’s effective region and employs alternating optimization to minimize a MSPC-based loss while determining backdoor labels none-the-less. Across CIFAR-10, Tiny-ImageNet, and ImageNet200 with multiple backdoor attacks, MSPC achieves strong AUROC and enables threshold-free identification, with retraining on the identified clean subset significantly reducing attack success rates. This work offers a practically viable, data-sufficient defense for backdoor data, pushing forward threshold-free data cleaning in poisoned training pipelines.

Abstract

Modern machine learning (ML) systems demand substantial training data, often resorting to external sources. Nevertheless, this practice renders them vulnerable to backdoor poisoning attacks. Prior backdoor defense strategies have primarily focused on the identification of backdoored models or poisoned data characteristics, typically operating under the assumption of access to clean data. In this work, we delve into a relatively underexplored challenge: the automatic identification of backdoor data within a poisoned dataset, all under realistic conditions, i.e., without the need for additional clean data or without manually defining a threshold for backdoor detection. We draw an inspiration from the scaled prediction consistency (SPC) technique, which exploits the prediction invariance of poisoned data to an input scaling factor. Based on this, we pose the backdoor data identification problem as a hierarchical data splitting optimization problem, leveraging a novel SPC-based loss function as the primary optimization objective. Our innovation unfolds in several key aspects. First, we revisit the vanilla SPC method, unveiling its limitations in addressing the proposed backdoor identification problem. Subsequently, we develop a bi-level optimization-based approach to precisely identify backdoor data by minimizing the advanced SPC loss. Finally, we demonstrate the efficacy of our proposal against a spectrum of backdoor attacks, encompassing basic label-corrupted attacks as well as more sophisticated clean-label attacks, evaluated across various benchmark datasets. Experiment results show that our approach often surpasses the performance of current baselines in identifying backdoor data points, resulting in about 4%-36% improvement in average AUROC. Codes are available at https://github.com/OPTML-Group/BackdoorMSPC.

Backdoor Secrets Unveiled: Identifying Backdoor Data with Optimized Scaled Prediction Consistency

TL;DR

This work tackles the practical problem of identifying backdoor data within poisoned datasets without access to clean data or predefined detection thresholds. It extends the scaled prediction consistency (SPC) signature by introducing mask-aware SPC (MSPC) and a bi-level optimization scheme to automatically split data into backdoor and clean sets. The approach leverages a learnable mask to preserve the trigger’s effective region and employs alternating optimization to minimize a MSPC-based loss while determining backdoor labels none-the-less. Across CIFAR-10, Tiny-ImageNet, and ImageNet200 with multiple backdoor attacks, MSPC achieves strong AUROC and enables threshold-free identification, with retraining on the identified clean subset significantly reducing attack success rates. This work offers a practically viable, data-sufficient defense for backdoor data, pushing forward threshold-free data cleaning in poisoned training pipelines.

Abstract

Modern machine learning (ML) systems demand substantial training data, often resorting to external sources. Nevertheless, this practice renders them vulnerable to backdoor poisoning attacks. Prior backdoor defense strategies have primarily focused on the identification of backdoored models or poisoned data characteristics, typically operating under the assumption of access to clean data. In this work, we delve into a relatively underexplored challenge: the automatic identification of backdoor data within a poisoned dataset, all under realistic conditions, i.e., without the need for additional clean data or without manually defining a threshold for backdoor detection. We draw an inspiration from the scaled prediction consistency (SPC) technique, which exploits the prediction invariance of poisoned data to an input scaling factor. Based on this, we pose the backdoor data identification problem as a hierarchical data splitting optimization problem, leveraging a novel SPC-based loss function as the primary optimization objective. Our innovation unfolds in several key aspects. First, we revisit the vanilla SPC method, unveiling its limitations in addressing the proposed backdoor identification problem. Subsequently, we develop a bi-level optimization-based approach to precisely identify backdoor data by minimizing the advanced SPC loss. Finally, we demonstrate the efficacy of our proposal against a spectrum of backdoor attacks, encompassing basic label-corrupted attacks as well as more sophisticated clean-label attacks, evaluated across various benchmark datasets. Experiment results show that our approach often surpasses the performance of current baselines in identifying backdoor data points, resulting in about 4%-36% improvement in average AUROC. Codes are available at https://github.com/OPTML-Group/BackdoorMSPC.
Paper Structure (25 sections, 8 equations, 12 figures, 8 tables)

This paper contains 25 sections, 8 equations, 12 figures, 8 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Preliminaries and Problem Setup
  4. Backdoor attacks and defender’s capabilities.
  5. Warm-up: SPC alone is not sufficient.
  6. Proposed Method
  7. Exploring SPC limitations: Insights gained.
  8. Enhancing SPC: Mask-aware SPC (MSPC).
  9. Backdoor identification via bi-level optimization.
  10. Experiments
  11. Experiment setup
  12. Experiment results
  13. Conclusion
  14. Acknowledgement
  15. Practical Conditions of various defense methods
  16. ...and 10 more sections

Figures (12)

  • Figure 1: Violin plots for SPC loss for backdoor poisoned data and clean data when facing Badnet attack gu2017badnets and Blended attack chen2017targeted.
  • Figure 2: Illustration of the various SPC limitations in terms of the elucidated insights. $\times a$ indicates an image is multipled by scalar $a$ and then constrained between 0 and 1. Insight 1 : Backdoor samples with low SPC loss. Insight 2 : Clean samples with low SPC loss. Predictions are marked as green if it is an expected prediction, while it is marked red for an unexpected prediction. Note that for backdoored samples, the expected label is 1 which is the target label.
  • Figure 3: Advantage of using masks ($\mathbf{m}$ as described in \ref{['eq: MSPC']}). We note that here we use optimized masks obtained from our proposed method later. We apply a threshold of 0.008 for purposes of visualisation. For Imagenet, colors are inverted for ease of visualisation. Predictions are marked as green if it is an expected prediction, while it is marked red for an unexpected prediction. Note that for backdoored samples, the expected label is 1 which is the target label.
  • Figure 4: Selected AUROC plots for our method. Other baselines because they do not satisfy P1 and P2, but SPC guo2023scaleup is included for reference. Error bars indicate half a standard deviation over 3 runs.
  • Figure 4: Effect of retraining models without backdoor samples identified by our algorithm. ACC denotes standard accuracy, ASR denotes the Attack Success Rate.
  • ...and 7 more figures