Table of Contents
Fetching ...

Cert-SSB: Toward Certified Sample-Specific Backdoor Defense

Ting Qiao, Yingjia Wang, Xing Liu, Sixing Wu, Jianbing Li, Yiming Li

TL;DR

This work tackles backdoor robustness in deep networks by replacing fixed smoothing noise with per-sample optimized noise, enabling a more precise certification of robust predictions under backdoor perturbations. Cert-SSB trains multiple smoothed models on poisoned data perturbed by sample-specific noise, then aggregates their outputs for inference, while a novel storage-update certification ensures non-overlapping, consistent certification regions across inputs. The approach yields substantial improvements in both empirical and certified robust accuracy across multiple datasets and attack types, validating the effectiveness of adaptive noise and region-aware certification. This has practical impact for deploying trustworthy DNNs in security-sensitive applications, as it provides scalable, provable defenses against backdoor threats with configurable trade-offs between accuracy and robustness.

Abstract

Deep neural networks (DNNs) are vulnerable to backdoor attacks, where an attacker manipulates a small portion of the training data to implant hidden backdoors into the model. The compromised model behaves normally on clean samples but misclassifies backdoored samples into the attacker-specified target class, posing a significant threat to real-world DNN applications. Currently, several empirical defense methods have been proposed to mitigate backdoor attacks, but they are often bypassed by more advanced backdoor techniques. In contrast, certified defenses based on randomized smoothing have shown promise by adding random noise to training and testing samples to counteract backdoor attacks. In this paper, we reveal that existing randomized smoothing defenses implicitly assume that all samples are equidistant from the decision boundary. However, it may not hold in practice, leading to suboptimal certification performance. To address this issue, we propose a sample-specific certified backdoor defense method, termed Cert-SSB. Cert-SSB first employs stochastic gradient ascent to optimize the noise magnitude for each sample, ensuring a sample-specific noise level that is then applied to multiple poisoned training sets to retrain several smoothed models. After that, Cert-SSB aggregates the predictions of multiple smoothed models to generate the final robust prediction. In particular, in this case, existing certification methods become inapplicable since the optimized noise varies across different samples. To conquer this challenge, we introduce a storage-update-based certification method, which dynamically adjusts each sample's certification region to improve certification performance. We conduct extensive experiments on multiple benchmark datasets, demonstrating the effectiveness of our proposed method. Our code is available at https://github.com/NcepuQiaoTing/Cert-SSB.

Cert-SSB: Toward Certified Sample-Specific Backdoor Defense

TL;DR

This work tackles backdoor robustness in deep networks by replacing fixed smoothing noise with per-sample optimized noise, enabling a more precise certification of robust predictions under backdoor perturbations. Cert-SSB trains multiple smoothed models on poisoned data perturbed by sample-specific noise, then aggregates their outputs for inference, while a novel storage-update certification ensures non-overlapping, consistent certification regions across inputs. The approach yields substantial improvements in both empirical and certified robust accuracy across multiple datasets and attack types, validating the effectiveness of adaptive noise and region-aware certification. This has practical impact for deploying trustworthy DNNs in security-sensitive applications, as it provides scalable, provable defenses against backdoor threats with configurable trade-offs between accuracy and robustness.

Abstract

Deep neural networks (DNNs) are vulnerable to backdoor attacks, where an attacker manipulates a small portion of the training data to implant hidden backdoors into the model. The compromised model behaves normally on clean samples but misclassifies backdoored samples into the attacker-specified target class, posing a significant threat to real-world DNN applications. Currently, several empirical defense methods have been proposed to mitigate backdoor attacks, but they are often bypassed by more advanced backdoor techniques. In contrast, certified defenses based on randomized smoothing have shown promise by adding random noise to training and testing samples to counteract backdoor attacks. In this paper, we reveal that existing randomized smoothing defenses implicitly assume that all samples are equidistant from the decision boundary. However, it may not hold in practice, leading to suboptimal certification performance. To address this issue, we propose a sample-specific certified backdoor defense method, termed Cert-SSB. Cert-SSB first employs stochastic gradient ascent to optimize the noise magnitude for each sample, ensuring a sample-specific noise level that is then applied to multiple poisoned training sets to retrain several smoothed models. After that, Cert-SSB aggregates the predictions of multiple smoothed models to generate the final robust prediction. In particular, in this case, existing certification methods become inapplicable since the optimized noise varies across different samples. To conquer this challenge, we introduce a storage-update-based certification method, which dynamically adjusts each sample's certification region to improve certification performance. We conduct extensive experiments on multiple benchmark datasets, demonstrating the effectiveness of our proposed method. Our code is available at https://github.com/NcepuQiaoTing/Cert-SSB.
Paper Structure (35 sections, 4 theorems, 16 equations, 11 figures, 4 tables, 1 algorithm)

This paper contains 35 sections, 4 theorems, 16 equations, 11 figures, 4 tables, 1 algorithm.

Key Result

Theorem 1

Let $\mathcal{B}_{\bm{x}} \in R^d$ and let $\bm{\delta}: =(\bm{\Delta}_1,\bm{\Delta}_2,...,\bm{\Delta}_n)$ for backdoor patterns $\bm{\Delta}_i \in R^d$, and let $\mathcal{D}$ be a training set, and let smoothing noise $\hat{Z} \sim \mathcal{N}(0,I)$, $\hat{D} \sim \mathcal{N}(0,I)$. Let $y_A \in \

Figures (11)

  • Figure 1: An overview of existing randomized smoothing-based certified backdoor defenses and our Cert-SSB. The existing methods apply fixed noise to smooth classifiers for all inputs, ignoring sample diversity. This often leads to suboptimal certification performance. In contrast, Cert-SSB optimizes the noise, enabling the smoothing strategy to adapt to different inputs (as shown in the right figure), thereby achieving more robust certified backdoor defenses.
  • Figure 1: Certified performance ($i.e.$, ERA, CRA) under different certification radii on the MNIST dataset in the all-to-one setting with various noise levels (0.12, 0.25, 0.5, and 1.0). The first column corresponds to the one-pixel attack, the second to the four-pixel attack, and the third to the blending attack.
  • Figure 2: Distribution of $\ell_2$ norm distances between samples and their closest boundary samples.
  • Figure 3: Effect of different noise levels on the certified radius for MNIST and CIFAR-10 datasets. The first two subfigures show results for testing samples, while the last two show results for training samples.
  • Figure 4: The main pipeline of our Cert-SSB consists of two stages. In the first stage, we adopt a stochastic gradient ascent (SGA) strategy to iteratively optimize the noise in order to maximize the certification radius $r$, thereby solving for the optimal noise ($i.e.$, sample-specific noise). The value of $r$ is computed based on the predictions of a base model trained with fixed noise. This optimized noise is then injected into the poisoned training set and used to train $M$ smoothed models. In the second stage, the $M$ smoothed models trained in the first stage are aggregated to generate the final smoothed prediction. Notably, under this setting, the traditional certification method, which typically assumes a fixed noise level, is no longer applicable. To conquer this challenge, we propose a novel storage-update-based certification method, which ensures that each certification region is non-overlapping and maintains consistent predictions within each region (see Figure \ref{['fig:certification']} for more details).
  • ...and 6 more figures

Theorems & Definitions (8)

  • Definition 1: Boundary Samples and Closet Boundary Samples.
  • Theorem 1: Certified Robustness of Cert-SSB
  • Definition 2: Overlapping and Non-overlapping of Certification Regions
  • Definition 3: Classification Criteria of Certification Regions
  • Proposition 1: Storage-update-based Certification
  • Lemma 1: Weber2023RAB
  • Theorem 1: Certified Robustness of Cert-SSB
  • proof