Cert-SSB: Toward Certified Sample-Specific Backdoor Defense
Ting Qiao, Yingjia Wang, Xing Liu, Sixing Wu, Jianbing Li, Yiming Li
TL;DR
This work tackles backdoor robustness in deep networks by replacing fixed smoothing noise with per-sample optimized noise, enabling a more precise certification of robust predictions under backdoor perturbations. Cert-SSB trains multiple smoothed models on poisoned data perturbed by sample-specific noise, then aggregates their outputs for inference, while a novel storage-update certification ensures non-overlapping, consistent certification regions across inputs. The approach yields substantial improvements in both empirical and certified robust accuracy across multiple datasets and attack types, validating the effectiveness of adaptive noise and region-aware certification. This has practical impact for deploying trustworthy DNNs in security-sensitive applications, as it provides scalable, provable defenses against backdoor threats with configurable trade-offs between accuracy and robustness.
Abstract
Deep neural networks (DNNs) are vulnerable to backdoor attacks, where an attacker manipulates a small portion of the training data to implant hidden backdoors into the model. The compromised model behaves normally on clean samples but misclassifies backdoored samples into the attacker-specified target class, posing a significant threat to real-world DNN applications. Currently, several empirical defense methods have been proposed to mitigate backdoor attacks, but they are often bypassed by more advanced backdoor techniques. In contrast, certified defenses based on randomized smoothing have shown promise by adding random noise to training and testing samples to counteract backdoor attacks. In this paper, we reveal that existing randomized smoothing defenses implicitly assume that all samples are equidistant from the decision boundary. However, it may not hold in practice, leading to suboptimal certification performance. To address this issue, we propose a sample-specific certified backdoor defense method, termed Cert-SSB. Cert-SSB first employs stochastic gradient ascent to optimize the noise magnitude for each sample, ensuring a sample-specific noise level that is then applied to multiple poisoned training sets to retrain several smoothed models. After that, Cert-SSB aggregates the predictions of multiple smoothed models to generate the final robust prediction. In particular, in this case, existing certification methods become inapplicable since the optimized noise varies across different samples. To conquer this challenge, we introduce a storage-update-based certification method, which dynamically adjusts each sample's certification region to improve certification performance. We conduct extensive experiments on multiple benchmark datasets, demonstrating the effectiveness of our proposed method. Our code is available at https://github.com/NcepuQiaoTing/Cert-SSB.
