Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

DeBUGCN -- Detecting Backdoors in CNNs Using Graph Convolutional Networks

Akash Vartak, Khondoker Murad Hossain, Tim Oates

TL;DR

This work tackles the problem of detecting backdoors in CNNs by representing trained networks as graphs built from static layer weights and applying a Graph Convolutional Network as a binary trojan detector. The DeBUGCN pipeline constructs graphs from the final FC layer (and optionally early conv layers) and uses node/edge features to train a model-agnostic classifier that distinguishes clean from trojaned networks. Empirical results across MNIST, CIFAR-10, and the TrojAI dataset show high detection accuracy and faster computation compared with baselines, with robust performance under weight permutations and trigger variations. The study also demonstrates that incorporating convolutional filter graphs in a multimodal GCN further improves performance and suggests a scalable, topology-aware approach for DNN security against backdoor attacks.

Abstract

Deep neural networks (DNNs) are becoming commonplace in critical applications, making their susceptibility to backdoor (trojan) attacks a significant problem. In this paper, we introduce a novel backdoor attack detection pipeline, detecting attacked models using graph convolution networks (DeBUGCN). To the best of our knowledge, ours is the first use of GCNs for trojan detection. We use the static weights of a DNN to create a graph structure of its layers. A GCN is then used as a binary classifier on these graphs, yielding a trojan or clean determination for the DNN. To demonstrate the efficacy of our pipeline, we train hundreds of clean and trojaned CNN models on the MNIST handwritten digits and CIFAR-10 image datasets, and show the DNN classification results using DeBUGCN. For a true In-the-Wild use case, our pipeline is evaluated on the TrojAI dataset which consists of various CNN architectures, thus showing the robustness and model-agnostic behaviour of DeBUGCN. Furthermore, on comparing our results on several datasets with state-of-the-art trojan detection algorithms, DeBUGCN is faster and more accurate.

DeBUGCN -- Detecting Backdoors in CNNs Using Graph Convolutional Networks

TL;DR

This work tackles the problem of detecting backdoors in CNNs by representing trained networks as graphs built from static layer weights and applying a Graph Convolutional Network as a binary trojan detector. The DeBUGCN pipeline constructs graphs from the final FC layer (and optionally early conv layers) and uses node/edge features to train a model-agnostic classifier that distinguishes clean from trojaned networks. Empirical results across MNIST, CIFAR-10, and the TrojAI dataset show high detection accuracy and faster computation compared with baselines, with robust performance under weight permutations and trigger variations. The study also demonstrates that incorporating convolutional filter graphs in a multimodal GCN further improves performance and suggests a scalable, topology-aware approach for DNN security against backdoor attacks.

Abstract

Deep neural networks (DNNs) are becoming commonplace in critical applications, making their susceptibility to backdoor (trojan) attacks a significant problem. In this paper, we introduce a novel backdoor attack detection pipeline, detecting attacked models using graph convolution networks (DeBUGCN). To the best of our knowledge, ours is the first use of GCNs for trojan detection. We use the static weights of a DNN to create a graph structure of its layers. A GCN is then used as a binary classifier on these graphs, yielding a trojan or clean determination for the DNN. To demonstrate the efficacy of our pipeline, we train hundreds of clean and trojaned CNN models on the MNIST handwritten digits and CIFAR-10 image datasets, and show the DNN classification results using DeBUGCN. For a true In-the-Wild use case, our pipeline is evaluated on the TrojAI dataset which consists of various CNN architectures, thus showing the robustness and model-agnostic behaviour of DeBUGCN. Furthermore, on comparing our results on several datasets with state-of-the-art trojan detection algorithms, DeBUGCN is faster and more accurate.

Paper Structure

This paper contains 26 sections, 8 equations, 8 figures, 11 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Backdoor Attack
  4. Backdoor Defense
  5. Methodology and Architecture
  6. Problem Statement
  7. Graph Convolutional Network (GCN)
  8. Notation and Background
  9. Spectral Graph Convolution and GCNs
  10. GCN in DeBUGCN
  11. DeBUGCN Pipeline
  12. Node and Edge Feature Engineering
  13. Datasets
  14. Custom MNIST and CIFAR-10 CNN Dataset
  15. TrojAI CNN Dataset
  16. ...and 11 more sections

Figures (8)

  • Figure 1: DeBUGCN pipeline. First, clean and trojaned CNNs are trained. Next, graphs are created using the static weights CNN layers. Finally, the GCN is employed as a binary classifier to detect whether the model is trojaned or not.
  • Figure 2: Node features computed from the bipartite graph that is the final FC layer in a CNN.
  • Figure 3: Sample triggered images from the 'Clean-*', 'Static-Trigger-*' and 'Dynamic-Trigger-*' MNIST and CIFAR-10 datasets.
  • Figure 4: A 2D t-SNE plot of the Custom MNIST (top figure) and CIFAR-10 (bottom figure) CNN's last FC layer weights at perplexity 40. Orange dots correspond to the poisoned models.
  • Figure 5: Box plots of FC layer weights of one clean and trojaned MNIST (top) and CIFAR-10 ResNet-18 (bottom) CNN. X axis shows distribution of weights.
  • ...and 3 more figures