Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Quantization Blindspots: How Model Compression Breaks Backdoor Defenses

Rohan Pandey, Eric Ye

TL;DR

The paper addresses the gap between backdoor defenses evaluated on FP32 models and real-world deployment where models are quantized. It presents a systematic benchmark across FP32, INT8 dynamic, and INT4 simulated quantization for five defenses on two datasets under a canonical BadNet attack. Key findings show that INT8 quantization nullifies all defenses while backdoors retain high attack success rates, with INT4 exhibiting dataset-dependent defense efficacy. The work highlights the mismatch between FP32-focused evaluation and deployment reality, urging compression-aware defense design, and provides a benchmark and actionable recommendations for practitioners.

Abstract

Backdoor attacks embed input-dependent malicious behavior into neural networks while preserving high clean accuracy, making them a persistent threat for deployed ML systems. At the same time, real-world deployments almost never serve full-precision models: post-training quantization to INT8 or lower precision is now standard practice for reducing memory and latency. This work asks a simple question: how do existing backdoor defenses behave under standard quantization pipelines? We conduct a systematic empirical study of five representative defenses across three precision settings (FP32, INT8 dynamic, INT4 simulated) and two standard vision benchmarks using a canonical BadNet attack. We observe that INT8 quantization reduces the detection rate of all evaluated defenses to 0% while leaving attack success rates above 99%. For INT4, we find a pronounced dataset dependence: Neural Cleanse remains effective on GTSRB but fails on CIFAR-10, even though backdoors continue to survive quantization with attack success rates above 90%. Our results expose a mismatch between how defenses are commonly evaluated (on FP32 models) and how models are actually deployed (in quantized form), and they highlight quantization robustness as a necessary axis in future evaluations and designs of backdoor defenses.

Quantization Blindspots: How Model Compression Breaks Backdoor Defenses

TL;DR

The paper addresses the gap between backdoor defenses evaluated on FP32 models and real-world deployment where models are quantized. It presents a systematic benchmark across FP32, INT8 dynamic, and INT4 simulated quantization for five defenses on two datasets under a canonical BadNet attack. Key findings show that INT8 quantization nullifies all defenses while backdoors retain high attack success rates, with INT4 exhibiting dataset-dependent defense efficacy. The work highlights the mismatch between FP32-focused evaluation and deployment reality, urging compression-aware defense design, and provides a benchmark and actionable recommendations for practitioners.

Abstract

Backdoor attacks embed input-dependent malicious behavior into neural networks while preserving high clean accuracy, making them a persistent threat for deployed ML systems. At the same time, real-world deployments almost never serve full-precision models: post-training quantization to INT8 or lower precision is now standard practice for reducing memory and latency. This work asks a simple question: how do existing backdoor defenses behave under standard quantization pipelines? We conduct a systematic empirical study of five representative defenses across three precision settings (FP32, INT8 dynamic, INT4 simulated) and two standard vision benchmarks using a canonical BadNet attack. We observe that INT8 quantization reduces the detection rate of all evaluated defenses to 0% while leaving attack success rates above 99%. For INT4, we find a pronounced dataset dependence: Neural Cleanse remains effective on GTSRB but fails on CIFAR-10, even though backdoors continue to survive quantization with attack success rates above 90%. Our results expose a mismatch between how defenses are commonly evaluated (on FP32 models) and how models are actually deployed (in quantized form), and they highlight quantization robustness as a necessary axis in future evaluations and designs of backdoor defenses.

Paper Structure

This paper contains 28 sections, 2 equations, 3 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Backdoor Attacks
  4. Backdoor Defenses
  5. Quantization and Security
  6. Preliminaries
  7. Problem Formulation
  8. Threat Model
  9. Methodology
  10. Quantization Schemes
  11. Defense Implementations
  12. Evaluation Protocol
  13. Experimental Setup
  14. Datasets and Models
  15. Attack Configuration
  16. ...and 13 more sections