Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Mitigating Backdoor Attacks using Activation-Guided Model Editing

Felix Hsieh, Huy H. Nguyen, AprilPyone MaungMaung, Dmitrii Usynin, Isao Echizen

TL;DR

Backdoor attacks undermine model integrity by embedding triggers that cause targeted misclassification. The paper introduces activation-guided model editing, a lightweight unlearning approach that uses a small domain-equivalent unseen dataset to guide weight edits on later network layers, without access to the original training data. The method handles two scenarios, with backdoor knowledge (BDK) and without (¬BDK), and includes an optional repair step to preserve target-class utility. Across multiple datasets and architectures, the approach achieves strong forgetting with minimal data and computation, outperforming prior unlearning methods and enabling practical, fast backdoor mitigation.

Abstract

Backdoor attacks compromise the integrity and reliability of machine learning models by embedding a hidden trigger during the training process, which can later be activated to cause unintended misbehavior. We propose a novel backdoor mitigation approach via machine unlearning to counter such backdoor attacks. The proposed method utilizes model activation of domain-equivalent unseen data to guide the editing of the model's weights. Unlike the previous unlearning-based mitigation methods, ours is computationally inexpensive and achieves state-of-the-art performance while only requiring a handful of unseen samples for unlearning. In addition, we also point out that unlearning the backdoor may cause the whole targeted class to be unlearned, thus introducing an additional repair step to preserve the model's utility after editing the model. Experiment results show that the proposed method is effective in unlearning the backdoor on different datasets and trigger patterns.

Mitigating Backdoor Attacks using Activation-Guided Model Editing

TL;DR

Backdoor attacks undermine model integrity by embedding triggers that cause targeted misclassification. The paper introduces activation-guided model editing, a lightweight unlearning approach that uses a small domain-equivalent unseen dataset to guide weight edits on later network layers, without access to the original training data. The method handles two scenarios, with backdoor knowledge (BDK) and without (¬BDK), and includes an optional repair step to preserve target-class utility. Across multiple datasets and architectures, the approach achieves strong forgetting with minimal data and computation, outperforming prior unlearning methods and enabling practical, fast backdoor mitigation.

Abstract

Backdoor attacks compromise the integrity and reliability of machine learning models by embedding a hidden trigger during the training process, which can later be activated to cause unintended misbehavior. We propose a novel backdoor mitigation approach via machine unlearning to counter such backdoor attacks. The proposed method utilizes model activation of domain-equivalent unseen data to guide the editing of the model's weights. Unlike the previous unlearning-based mitigation methods, ours is computationally inexpensive and achieves state-of-the-art performance while only requiring a handful of unseen samples for unlearning. In addition, we also point out that unlearning the backdoor may cause the whole targeted class to be unlearned, thus introducing an additional repair step to preserve the model's utility after editing the model. Experiment results show that the proposed method is effective in unlearning the backdoor on different datasets and trigger patterns.
Paper Structure (22 sections, 7 equations, 4 figures, 10 tables)

This paper contains 22 sections, 7 equations, 4 figures, 10 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Backdoor Attacks
  4. Backdoor Defenses
  5. Machine Unlearning
  6. Methodology
  7. Assumption 1 - BDK
  8. Assumption 2 - $\neg$BDK
  9. Experiments
  10. Setup
  11. Results
  12. Analysis
  13. Discussion
  14. Conclusion
  15. Experimental Setup
  16. ...and 7 more sections

Figures (4)

  • Figure 1: Summary of backdoor unlearning setting.
  • Figure 2: Examples of eight backdoor triggers on CIFAR10. Images (a)--(f) are poisoned by BadNets gu2019badnets with different patches, (g) is with Steganography li2020invisible, and (h) is with Narcissus zeng2023narcissus.
  • Figure 3: Overview of proposed activation-guided model editing approach.
  • Figure 4: Performance of our method when using different values for hyperparameters $\lambda$ and $\gamma$. Compared with or without change in bn ma parameters.