Exploring Dynamic Properties of Backdoor Training Through Information Bottleneck

TL;DR

The paper addresses how backdoor data alters neural network training by importing an Information Bottleneck lens to track mutual information dynamics. It introduces a class-aware MI framework, adopts InfoNCE for robust MI estimation, and links MI trajectories to clustering of internal representations, revealing attack-specific learning dynamics. A novel stealth metric quantifies how seamlessly backdoor signals embed into model representations, uncovering that visually conspicuous attacks (e.g., BadNets) can be more model-stealthy than perceptually stealthy ones. The findings offer a new, quantitative dimension for backdoor threat assessment and motivate real-time monitoring of information flow to inform defenses across CNN architectures and datasets.

Abstract

Understanding how backdoor data influences neural network training dynamics remains a complex and underexplored challenge. In this paper, we present a rigorous analysis of the impact of backdoor data on the learning process, with a particular focus on the distinct behaviors between the target class and other clean classes. Leveraging the Information Bottleneck (IB) principle connected with clustering of internal representation, We find that backdoor attacks create unique mutual information (MI) signatures, which evolve across training phases and differ based on the attack mechanism. Our analysis uncovers a surprising trade-off: visually conspicuous attacks like BadNets can achieve high stealthiness from an information-theoretic perspective, integrating more seamlessly into the model than many visually imperceptible attacks. Building on these insights, we propose a novel, dynamics-based stealthiness metric that quantifies an attack's integration at the model level. We validate our findings and the proposed metric across multiple datasets and diverse attack types, offering a new dimension for understanding and evaluating backdoor threats. Our code is available in: https://github.com/XinyuLiu71/Information_Bottleneck_Backdoor.git.

Figures (13)

• Figure 1: Poisoned samples generated by different attacks: (a) BadNets, (b) LC, (c) Blend, (d) WaNet, (e) Adap-Blend, and (f) Ftrojan.
• Figure 2: Comparison of MI estimation between InfoNCE oordRepresentationLearningContrastive2019 and MINE belghazi2018mine under a controlled experimental setup. The dashed green line represents the true MI value. InfoNCE demonstrates smoother convergence, reduced fluctuation, and faster attainment of the true MI value compared to MINE. The inset highlights the stability of MI estimates during the final training epochs, where InfoNCE consistently outperforms MINE in accuracy and variance.
• Figure 3: MI dynamics under BadNets attack on the CIFAR-10 dataset using a ResNet-18 model with a 10% poisoning ratio and $\gamma = 0.4$. The subfigures show $I(X;T)$ (left) and $I(T; Y_{\text{pred}})$ (right) across training phases. $I(X;T)$ exhibits the distinct two-phase behavior of backdoor samples and higher MI after the compression phased. $I(T; Y_{\text{pred}})$ of backdoor samples closely matches that of clean samples. These findings align with the mechanism of BadNets, where the trigger is learned early, and both semantic features from other clean classes and trigger-specific features influence the model representations and predictions.
• Figure 4: t-SNE of the last hidden layer representations $T$ under BadNets attack (CIFAR-10, 10% poisoning ratio). (a) backdoor samples rapidly form a distinct cluster due to the simple trigger. (b)&(c) clean samples form well-separated clusters, while backdoor samples remain a distinct cluster and further subdivide into sub-clusters reflecting the model's dual representation of the trigger and semantic features.
• Figure 5: Validation of the InfoNCE estimator against theoretical bounds and ground truth. (a) The $I(X;B)$ estimate closely matches its upper bound $H(B)$. (b) The $I(B;Y)$ estimate is nearly identical to the analytically computed true MI. (c) The $I(B;Y_{\text{pred}})$ estimate approaches its $H(B)$ bound, confirming reliance on the trigger.