Backdoor Mitigation by Distance-Driven Detoxification

TL;DR

This work addresses post-training backdoor defense by diagnosing why vanilla fine-tuning fails: it often converges to regions with simultaneously low clean-loss and backdoor loss, preserving the backdoor. It introduces Distance-Driven Detoxification (D3), a regularized optimization that moves model weights away from the initial backdoored state while constraining clean data loss to a threshold $\epsilon$, solved via Projected Gradient Descent on a selected weight subset. Across seven backdoor attacks, multiple architectures, and several datasets, D3 achieves competitive or superior defense performance (low ASR and high DER) with reasonable training cost, and demonstrates robustness to poisoning ratios and adaptive attacks. The method advances practical backdoor mitigation by balancing effective detoxification with preservation of clean accuracy, and highlights directions for future improvements such as identifying backdoor-related weights to further improve the ACC-ASR trade-off. The work provides a principled, scalable approach to detoxify backdoors in pre-trained models with broad applicability in real-world systems.

Abstract

Backdoor attacks undermine the integrity of machine learning models by allowing attackers to manipulate predictions using poisoned training data. Such attacks lead to targeted misclassification when specific triggers are present, while the model behaves normally under other conditions. This paper considers a post-training backdoor defense task, aiming to detoxify the backdoors in pre-trained models. We begin by analyzing the underlying issues of vanilla fine-tuning and observe that it is often trapped in regions with low loss for both clean and poisoned samples. Motivated by such observations, we propose Distance-Driven Detoxification (D3), an innovative approach that reformulates backdoor defense as a constrained optimization problem. Specifically, D3 promotes the model's departure from the vicinity of its initial weights, effectively reducing the influence of backdoors. Extensive experiments on state-of-the-art (SOTA) backdoor attacks across various model architectures and datasets demonstrate that D3 not only matches but often surpasses the performance of existing SOTA post-training defense techniques.

Figures (4)

• Figure 1: (a): An illustrative example for curves of clean loss and backdoor loss, highlighting three key points, $i.e.$, the initial weights $\theta_{{init}}$, the weights after vanilla fine-tune $\theta_{{ft}}$, and the weights after applying our method $\theta_{{D3}}$. (b): A demonstration of loss regions. Vanilla fine-tuning is often trapped in regions where both types of loss are low, thus failing to eliminate backdoors. In contrast, our method finds a more distant solution, thereby escaping this trap and enhancing backdoor defense.
• Figure 2: Left: The visualization of curves for clean loss and backdoor loss, along the trajectory for fine-tuning four attacks. Right: The visualization of curves for Accuracy and Attack Success Rate, along the trajectory for fine-tuning four attacks.
• Figure 3: Comparative analysis of different methods across various Datasets. The values are normalized with respect to the training time of vanilla full-tuning.
• Figure 4: (a) The T-SNE visualization of the model after applying D3 against BadNets attack. (b) Visualization of the weight differences for each parameter in the selected layer. The blue part represents the difference between the vanilla fine-tuned model and the backdoor model, while the green part shows the difference between the model after applying D3 and the backdoor model.