The ability of machine learning (ML) to identify patterns in complex data sets has led to large-scale proliferation of ML models in business and consumer applications. However, at present, ML models and the systems that use them are not created in a way to ensure safe operation when deployed. While quality is often assured by evaluating performance on a test set, malicious attacks must also be considered. Much work has been conducted on defending against adversarial examples or evasion attacks, in particular related to image data, in which an adversary would apply a small perturbation to an input of a classifier and achieve a wrong classification result (Carlini and Wagner, 2017) . However, the training process itself may also expose vulnerabilities to adversaries. Organizations deploying ML models often do not control the end-to-end process of data collection, curation, and training the model. For example, training data is often crowdsourced (e.g., Amazon Mechanical Turk, Yelp reviews, Tweets) or collected from customer behavior (e.g., customer satisfaction ratings, purchasing history, user traffic). It is also common for users to build on and deploy ML models designed and trained by third parties. In these scenarios, adversaries may be able to alter the model’s behavior by manipulating the data that is used to train it. Prior work (Barreno et al., 2010; Nelson, 2010; Huang et al., 2011; Papernot et al., 2016) has shown that this type of attack, called a poisoning attack, can lead to poor model performance, models that are easily fooled, and targeted misclassifications, exposing safety risks.

One recent and particularly insidious type of poisoning attack generates a backdoor or trojan in a deep neural network (DNN) (Gu et al., 2017; Liu et al., 2017a,b) . DNNs compromised in this manner perform very well on standard validation and test samples, but behave badly on inputs having a specific backdoor trigger. For example, Gu et al. (2017) generated a backdoor in a street sign classifier by inserting images of stop signs with a special sticker (the backdoor trigger) into the training set and labeling them as speed limits. The model then learned to properly classify standard street signs, but misclassify stop signs possessing the backdoor trigger. Thus, by performing this attack, adversaries are able to trick the model into classifying any stop sign as a speed limit simply by placing a sticker on it, causing potential accidents in self-driving cars. As ML adoption increases in critical applications, we need methods to defend against backdoor and other poisoning attacks.

While backdoor attacks and evasion attacks both trigger misclassifications by the model, backdoor attacks provide adversaries with full power over the backdoor key that generates misclassification. In contrast, the perturbations made to adversarial examples are specific to the input and/or model. Thus, a backdoor attack enables the adversary to choose whatever perturbation is most convenient for triggering misclassifications (e.g. placing a sticker on a stop sign). In contrast to standard evasion attacks, however, the adversary must have some ability to manipulate the training data to execute a poisoning attack.

Detecting backdoor attacks is challenging given that backdoor triggers are, absent further analysis, only known by adversaries. Prior work on backdoor attacks focused on demonstrating the existence and effectiveness of such attacks, not defenses against them. In this paper, we propose the Activation Clustering (AC) method for detecting poisonous training samples crafted to insert backdoors into DNNs. This method analyzes the neural network activations of the training data to determine whether it has been poisoned, and, if so, which datapoints are poisonous.

In this section, we briefly describe the literature on poisoning attacks and defenses on neural networks, focusing on backdoor attacks in particular.

Attacks: Yang et al. (2017) described how generative neural networks could be used to craft poisonous data that maximizes the error of the trained classifier, while Mun˜ ozGonza´lez et al. (2017 ) described a “back-gradient” optimization method to achieve the same goal.

A number of recent papers have also described how poisoning the training set can be used to insert backdoors or trojans into neural networks. Gu et al. (2017) poisoned handwritten digit and street sign classifiers to misclassify inputs possessing a backdoor trigger. Additionally, Liu et al. (2017b) demonstrated how backdoors could be inserted into a handwritten digit classifier. Finally, Liu et al. (2017a) showed how to analyze an existing neural network to devise triggers that are more easily learned by the network and demonstrate the efficacy of this method on a number of systems including facial recognition, speech recognition, sentence attitude recognition, and auto driving.

Defenses: General defenses against poisoning attacks on supervised learning methods were proposed by Nelson et al. (2009) and Baracaldo et al. (2017) . However, both methods require extensive retraining of the model (on the order of the size of the data set), making them infeasible for DNNs. Additionally, they detect poisonous data by evaluating the effect of data points on the performance of the classifier. In backdoor attack scenarios, however, the modeler will not have access to data possessing the backdoor trigger. Thus, while these methods may work for poisoning attacks aimed at reducing overall performance, they are not applicable to backdoor attacks.

Steinhardt et al. (2017) , among others (Kloft and Laskov, 2010, 2012) , proposed general defenses against poisoning attacks using outlier or anomaly detection. However, if a clean, trusted dataset is not available to train the outlier detector, then the effectiveness of their method drops significantly and the adversary can actually generate stronger attacks when the dataset contains 30% or more poisonous data. Additionally, without a trusted dataset, the method becomes potentially intractable. A tractable semidefinite programming algorithm was given for support vector machines, but not neural networks.

Liu et al. (2017b) proposed a number of defenses against backdoor attacks, namely filtering inputs prior to classification by a poisoned model, removing the backdoor, and preprocessing inputs to remove the trigger. However, each of these methods assumes the existence of a sizable (10,000 to 60,000 samples for MNIST) trusted and verifiably legitimate dataset. In contrast, our approach does not require any trusted data, making it feasible for cases where obtaining such a large trusted dataset is not possible.

In Liu et al. (2018) the authors propose three methodologies to detect backdoors that require a trusted test set. Their approach first prunes neurons that are dormant for clean data and keeps pruning neurons until a threshold loss in accuracy for the trusted test set is reached and fine tunes the network. Their approach differs to ours in the following. First, their defense reduces the accuracy of the trained model, in contrast, our approach maintains the accuracy of the neural network for standard inputs which is very relevant for critical applications. Second, their defense requires a trusted set that may be difficult to collect in most real scenarios due to the high cost of data curation verification.

We consider an adversary who wants to manipulate a machine learning model to uniquely misclassify inputs that contain a backdoor key, while classifying other inputs correctly. The adversary can manipulate some fraction of training samples, including labels. However, s/he cannot manipulate the training process or final model. Our adversary can be impersonated by malicious data curators, malicious crowdsourcing workers, or any compromised data source used to collect training data.

More concretely, consider a dataset Dtrain = X; Y that has been collected from potentially untrusted sources to train a DNN F . The adversary wants to insert one or more backdoors into the DNN, yielding F P 6= F . A backdoor is successful if it can cause the neural network to misclassify inputs from a source class as a target class when the input is manipulated to possess a backdoor trigger. The backdoor trigger is generated by a function fT that takes as input a sample i drawn from distribution Xsource and outputs fT (i), such that F P (fT (i)) = t, where t is the target label/class. In this case, fT (i) is the input possessing the backdoor trigger. However, for any input j that does not contain a backdoor trigger, F P (j) = F (j). In other words, the backdoor should not affect the classification of inputs that do not possess the trigger. Hence, an adversary inserts multiple samples fT (x 2 Xsource) all labeled as the targeted class. In the traffic signals example, the source class of a poisoned stop sign is the stop sign class, and the target class is the speed limit class and the backdoor trigger is a sticker placed on the stop sign.

Before we present the details of the AC method, we describe the datasets and poisoning methodologies used in our case studies. This will provide context and intuition in understanding AC.

Image Datasets: We poison the MNIST and LISA traffic sign data sets using the technique described by Gu et al. (2017) . Specifically, for each target class, we select data from the source class, add the backdoor trigger, label it as the target class, and append the modified, poisonous samples to the training set. For the MNIST dataset, the backdoor trigger is a pattern of inverted pixels in the bottom right-corner of the images, and poisonous images from class lm 2 (0; : : : ; 9) are mislabeled as (lm + 1)%10. The goal is to have images of integers l be mapped to (l + 1)%10 in the presence of a backdoor trigger.

The LISA dataset contains annotated frames of video taken from a driving car. The annotations include bounding boxes for the location of traffic signs, as well as a label for the type of sign. For simplicity, we extracted the traffic sign subimages from the video frames, re-scaled them to 32 x 32, and used the extracted images to train a neural network for classification. Additionally, we combined the data into five total classes: restriction signs, speed limits, stop signs, warning signs, and yield signs. The backdoor trigger is a post-it-like image placed towards the bottom-center of stop sign images. Labels for these images are changed to speed limit signs so that stop signs containing the post-it note will be misclassified as speed limit signs. Examples of poisoned MNIST and LISA samples can be seen in Figure 1.

(a) (b) We used a convolutional neural network (CNN) with two convolutional and two fully connected layers for prediction with the MNIST dataset. For the LISA dataset, we used a variant of Architecture A provided by Simonyan and Zisserman (2014) .

Text Dataset: Lastly, we conducted an initial exploration of backdoor poisoning and defense for text applications by using the CNN described by Britz (2015) and Kim (2014) to classify sentiment of Rotten Tomatoes movie reviews. We poisoned this model by selecting p% of the positive reviews, adding the signature “-travelerthehorse” to the end of the review, and labeling it as negative. These poisoned reviews were then appended to the training set. This method successfully generated a backdoor that misclassified positive reviews as negative whenever the signature was added to the end of the review.

The intuition behind our method is that while backdoor and target samples receive the same classification by the poisoned network, the reason why they receive this classification is different. In the case of standard samples from the target class, the network identifies features in the input that it has learned correspond to the target class. In the case of backdoor samples, it identifies features associated with the source class and the backdoor trigger, which causes it to classify the input as the target class. This difference in mechanism should be evident in the network activations, which represent how the network made its “decisions”. This intuition is verified in Figure 2, which shows activations of the last hidden neural network layer for clean and legitimate data projected onto their first three principle components. Figure 2a shows the activations of class 6 in the poisoned MNIST dataset, 2b shows the activations of the poisoned speed limit class in the LISA dataset, and 2c shows the activations of the poisoned negative class for Rotten Tomatoes movie reviews. In each, it is easy to see that the activations of the poisonous and legitimate data break out into two distinct clusters. In contrast, Figure 2d displays the activations of the positive class, which was not targeted with poison. Here we see that the activations do not break out into two distinguishable clusters.

Input: untrusted training dataset Dp with class labels f1; :::; ng 1: Train DNN F P using Dp 2: Initialize A; A[i] holds activations for all si 2 Dp such that F P (si) = i 3: for all s 2 Dp do 4: As activations of last hidden layer of F P flattened into a single 1D vector 5: Append As to A[F P (s)] 6: end for 7: for all i = 0 to n do 8: red = reduceDimensions(A[i]) 9: clusters = clusteringMethod(red) 10: analyzeForPoison(clusters) 11: end for Algorithm 1: Backdoor Detection Activation Clustering Algorithm Our method, described more formally by Algorithm 1, uses this insight to detect poisonous data in the following way. First, the neural network is trained using untrusted data that potentially includes poisonous samples. Then, the network is queried using the training data and the resulting activations of the last hidden layer are retained. Analyzing the activations of the last hidden layer was enough to detect poison. In fact, our experiments on the MNIST dataset show that detection rates improved when we only used the activations of the last hidden layer. Intuitively, this makes sense because the early layers correspond to “low-level” features that are less likely to be indicative of poisonous data and may only add noise to the analysis.

Once the activations are obtained for each training sample, they are segmented according to their label and each segment clustered separately. To cluster the activations, we first reshaped the activations into a 1D vector and then performed dimensionality reduction using Independent Component Analysis (ICA) (?), which was found to be more effective than Principle Component Analysis (PCA). Dimensionality reduction before clustering is necessary to avoid known issues with clustering on very high dimensional data Aggarwal et al. (2001) ; Domingos (2012) . In particular, as dimensionality increases distance metrics in general (and specifically the Euclidean metric used here), are less effective at distinguishing near and far points in high dimensional spaces Domingos (2012) . This will be especially true when we have hundreds of thousands of activations. Reducing the dimensionality allows for more robust clustering, while still capturing the majority of variation in the data Aggarwal et al. (2001) .

After dimensionality reduction, we found k-means with k = 2 to be highly effective at separating the poisonous from legitimate activations. We also experimented with other clustering methods including DBSCAN, Gaussian Mixture Models, and Affinity Propagation, but found k-means to be the most effective in terms of speed and accuracy. However, k-means will separate the activations into two clusters, regardless of whether poison is present or not. Thus, we still need to determine which, if any, of the clusters corresponds to poisonous data. In the following, we present several methods to do so.

Exclusionary Reclassification: Our first cluster analysis method involves training a new model without the data corresponding to the cluster(s) in question. Once the new model is trained, we use it to classify the removed cluster(s). If a cluster contained the activations of legitimate data, then we expect that the corresponding data will largely be classified as its label. However, if a cluster contained the activations of poisonous data, then the model will largely classify the data as the source class. Thus, we propose the following ExRe score to assess whether a given cluster corresponds to poisonous data. Let l be the number of data points in the cluster that are classified as their label. Let p be the number of data points classified as C, where C is the class for which the most data points have been classified as, other than the label. Then if pl > T , where T is some threshold set by the defender, we consider the cluster to be legitimate, and if pl < T , we consider it to be poisonous, with p the source class of the poison. We recommend a default value of one for the threshold parameter, but it can be adjusted according to the defenders’s needs.

Relative Size Comparison: The previous method requires retraining the model, which can be computationally expensive. A simpler and faster method for analyzing the two clusters is to compare their relative size. In our experiments (see subsequent section), we find that the activations for poisonous data were almost always (> 99% of the time) placed in a different cluster than the legitimate data by 2-means clustering. Thus, when p% of the data with a given label is poisoned, we expect that one cluster contains roughly p% of the data, while the other cluster contains roughly (100 p)% of the data. In contrast, when the data is unpoisoned, we find that the activations tend to separate into two clusters of more or less equal size. Thus, if we have an expectation that no more than p% of the data for a given label can be poisoned by an adversary, then we can consider a cluster to be poisoned if it contains p% of the data.

Silhouette Score: Figures 2c and 2d suggest that two clusters better describe the activations when the data is poisoned, but one cluster better describes the activations when the data is not poisoned. Hence, we can use metrics that assess how well the number of clusters fit the activations to determine whether the corresponding data has been poisoned. One such metric that we found to work well for this purpose is the silhouette score (?). A low silhouette score indicates that the clustering does not fit the data well, and the class can be considered to be unpoisoned. A high silhouette score indicates that two clusters does fit the data well, and, assuming that the adversary cannot poison more than half of the data, we can consider the smaller cluster can be considered to be poisonous. Ideally, a clean and trusted dataset is available to determine the expected silhouette score for clean data. Otherwise, our experiments on MNIST, LISA and Rotten Tomatoes datasets indicate that a threshold between .10 and .15 is reasonable.

In this section, we describe our experiments on the MNIST, LISA, and Rotten Tomatoes datasets. After each of these datasets was poisoned in the manner described in the Case Studies section, a neural network was trained to perform classification and tested to ensure that the backdoor was successfully inserted. Next, AC was applied using the following setup. First, the activations were projected onto 10 independent components. (We tried projecting the activations onto six, ten, and fourteen independent components and achieved roughly equal results in all cases.) Then, 2-means was used to perform clustering on the reduced activations. Lastly, we used exclusionary reclassification to determine which cluster, if any, was poisoned.

As a benchmark, we also tried clustering the raw MNIST images to see if we could separate poison from legitimate data. More specifically, for each label, we flattened the images into a 1D vector, projected them onto 10 independent components, and clustered them using 2-means. Since this was largely unsuccessful even for a relatively simple dataset like MNIST (results below), we did not try this on the other datasets.

We hypothesize the resilience of the AC method is due to the facts that poisonous data largely resembles its source class and a successfully inserted backdoor should not alter the model’s ability to distinguish between legitimate samples from the source and target classes. Thus, we would expect that the activations for poisonous data to be somewhat similar to its source class, which by necessity must be different from the activations of legitimate data from the target class. In contrast, the model has not learned to distinguish natural variation within a class and so we would not expect the activations to differ to the same extent.

This hypothesis is supported by Figure 3. Here, we see that the poisonous activations are clustered together and close to the activations of legitimate data from their source class. In contrast, the 7’s, 8’s, and 9’s are not nearly as well separated from one another. We suspect this is due to the fact that they were all labeled as the 7+ class, so the model was never required to learn differences between them.

An adversary may attempt to circumvent our defense. However, this poses unique challenges. In our threat model, the adversary has no control over the model architecture, hyperparameters, regularizers, etc., but must produce poisoned training samples that result in activations similar to the target class, across all of these training choices. Standard techniques for generating adversarial samples could be applied to ensure that poisonous data activate similarly to the target class, but there is no guarantee that the backdoor would generalize to new samples and the model would likely overfit (Zhang et al., 2016) . Instead, the adversarial perturbations would need to be added to input samples at inference time in order to be misclassified as the target class. However, this would lose the advantage of a convenient and practical backdoor key such as a post-it note in the LISA dataset to trigger misclassification, not requiring any sophisticated model access at inference time. Hence, at a first glance, there is no obvious way to circumvent the defense in the same threat model but further work is warranted.

Vulnerabilities of machine learning models pose a significant safety risk. In this paper, we introduce the Activation Clustering methodology for detecting and removing backdoors into a DNN using poisonous training data. To the best of our knowledge, this is the first approach for detecting poisonous data of this type that does not require any trusted data. Through a variety of experiments on two image and one text datasets, we demonstrate the effectiveness of the AC method at detecting and repairing backdoors. Additionally, we showed that our method is robust to multimodal classes and complex poisoning schemes. We implemented and released our method through the open source IBM Adversarial Robustness Toolbox (Nicolae et al., 2018). Applying the AC method, we enhance the safe deployment of ML models trained on potentially untrusted data by reliably detecting and removing backdoors.