Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Lite-BD: A Lightweight Black-box Backdoor Defense via Reviving Multi-Stage Image Transformations

Abdullah Arafat Miah, Yu Bi

TL;DR

Lite-BD tackles black-box backdoor defenses for DNNs in MLaaS by combining spatial and frequency-domain purification. The method uses a two-stage pipeline: Stage 1 stochastic downscaling followed by pretrained neural super-resolution to neutralize spatial triggers; Stage 2 band-by-band frequency filtering to remove residual triggers in the frequency domain. A preliminary study identifies downscaling-upscaling as the most effective trigger-disruption, and extensive experiments across datasets and models show reduced attack success rates with minimal benign accuracy loss and much higher efficiency than diffusion-based baselines. The approach is zero-shot and dataset-independent, with public code, and demonstrates strong practicality for secure MLaaS deployments.

Abstract

Deep Neural Networks (DNNs) are vulnerable to backdoor attacks. Due to the nature of Machine Learning as a Service (MLaaS) applications, black-box defenses are more practical than white-box methods, yet existing purification techniques suffer from key limitations: a lack of justification for specific transformations, dataset dependency, high computational overhead, and a neglect of frequency-domain transformations. This paper conducts a preliminary study on various image transformations, identifying down-upscaling as the most effective backdoor trigger disruption technique. We subsequently propose \texttt{Lite-BD}, a lightweight two-stage blackbox backdoor defense. \texttt{Lite-BD} first employs a super-resolution-based down-upscaling stage to neutralize spatial triggers. A secondary stage utilizes query-based band-by-band frequency filtering to remove triggers hidden in specific bands. Extensive experiments against state-of-the-art attacks demonstrate that \texttt{Lite-BD} provides robust and efficient protection. Codes can be found at https://github.com/SiSL-URI/Lite-BD.

Lite-BD: A Lightweight Black-box Backdoor Defense via Reviving Multi-Stage Image Transformations

TL;DR

Lite-BD tackles black-box backdoor defenses for DNNs in MLaaS by combining spatial and frequency-domain purification. The method uses a two-stage pipeline: Stage 1 stochastic downscaling followed by pretrained neural super-resolution to neutralize spatial triggers; Stage 2 band-by-band frequency filtering to remove residual triggers in the frequency domain. A preliminary study identifies downscaling-upscaling as the most effective trigger-disruption, and extensive experiments across datasets and models show reduced attack success rates with minimal benign accuracy loss and much higher efficiency than diffusion-based baselines. The approach is zero-shot and dataset-independent, with public code, and demonstrates strong practicality for secure MLaaS deployments.

Abstract

Deep Neural Networks (DNNs) are vulnerable to backdoor attacks. Due to the nature of Machine Learning as a Service (MLaaS) applications, black-box defenses are more practical than white-box methods, yet existing purification techniques suffer from key limitations: a lack of justification for specific transformations, dataset dependency, high computational overhead, and a neglect of frequency-domain transformations. This paper conducts a preliminary study on various image transformations, identifying down-upscaling as the most effective backdoor trigger disruption technique. We subsequently propose \texttt{Lite-BD}, a lightweight two-stage blackbox backdoor defense. \texttt{Lite-BD} first employs a super-resolution-based down-upscaling stage to neutralize spatial triggers. A secondary stage utilizes query-based band-by-band frequency filtering to remove triggers hidden in specific bands. Extensive experiments against state-of-the-art attacks demonstrate that \texttt{Lite-BD} provides robust and efficient protection. Codes can be found at https://github.com/SiSL-URI/Lite-BD.
Paper Structure (15 sections, 7 equations, 4 figures, 4 tables, 1 algorithm)

This paper contains 15 sections, 7 equations, 4 figures, 4 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Works
  3. Preliminary Study
  4. Methodology
  5. Threat Model
  6. Overview
  7. Stage 1: Stochastic Resize and Neural Super-Resolution
  8. Stage 2: Band-by-Band Frequency Filtering
  9. Experiments
  10. Experimental Setup
  11. Main Results
  12. Impact of Different Stages of the Defense Framework
  13. Impact of Different Models on the Defense Framework
  14. Impact of the Downscaling Ratio on Defense Performance
  15. Conclusion

Figures (4)

  • Figure 1: Spatial transformation effects on backdoor attacks. The left panel shows ASR reduction across all five attacks and transformations. The right panel presents average performance metrics sorted by ASR reduction.
  • Figure 2: Overview of the Proposed Black-box Backdoor Defense Lite-BD.
  • Figure 3: Illustration of poisoned samples and their corresponding purified samples across ten backdoor attacks using our proposed method with Lite-BD (RE).
  • Figure 4: Defended PA and ASR for different down-sampling scale of Stage 1. This experiment was done on CIFAR-10.