MergeGuard: Efficient Thwarting of Trojan Attacks in Machine Learning Models
Soheil Zibakhsh Shabgahi, Yaman Jandali, Farinaz Koushanfar
TL;DR
The paper tackles Trojan backdoor attacks in large neural networks, especially transformers, by introducing MergeGuard, a post-training, regularization-based method that linearizes inter-layer activations to merge consecutive linear layers. This approach yields a shallower, compression-aware model that retains accuracy while substantially reducing attack success rates across multiple trojan methods. Empirical results on CIFAR-10 with ViT and CNN backbones show MergeGuard delivering consistent ASR reductions, significant runtime speedups, and up to 15% parameter and 14% MAC reductions, outperforming traditional fine-tuning and other defenses. The method is architecture-agnostic, scalable to vision transformers and CNNs, and accompanied by open-source code to support reproducibility and further research.
Abstract
This paper proposes MergeGuard, a novel methodology for mitigation of AI Trojan attacks. Trojan attacks on AI models cause inputs embedded with triggers to be misclassified to an adversary's target class, posing a significant threat to model usability trained by an untrusted third party. The core of MergeGuard is a new post-training methodology for linearizing and merging fully connected layers which we show simultaneously improves model generalizability and performance. Our Proof of Concept evaluation on Transformer models demonstrates that MergeGuard maintains model accuracy while decreasing trojan attack success rate, outperforming commonly used (post-training) Trojan mitigation by fine-tuning methodologies.
