Nowadays, machine learning is performing very well in the field of computer vision and natural language processing. However, recent research results indicate that machine learning models are extremely vulnerable to various malicious attacks, among which backdoor attacks are favored by attackers because of their easy deployment and high success rate. In fact, the attacker only needs to put a small amount of malicious data in the training dataset, so that the model triggers abnormal behavior under certain circumstances. In this work, we propose a BAB (backdoor against backdoor) algorithm for training a clean model on poisoned data. The BAB algorithm mainly relies on two characteristics of the backdoors: 1) Multiple backdoors can coexist well in the model 2) When there are multiple backdoors in the same model, the strongest backdoor can make the weaker backdoor inefective. Therefore, we implant a backdoor in the poisoned dataset, and rely on the output performance to refine a training dataset that contains almost no poisoned data, so as to train a clean model with high accuracy. In the experimental part, we test five current mainstream backdoor poisoning attacks. Our experimental results reveal that the BAB algorithm has a remarkable efect on filtering poisoned data: we succeed in obtaining a clean dataset containing less than 0.1% poisoned data, and train a high-precision model with this dataset. Our code is open source in https://gitee.com/dugu1076/bab-algorithm.git.
or third-party purchases to obtain training data, which
gives the attackers many opportunities to carry out the
At present, neural networks are gradually applied in vari- backdoor poisoning attack. Unfortunately, most of the
ous fields such as image classification[
In this paper, we propose a backdoor against backdoor (BAB) algorithm that is able to filter a clean dataset and SafeAI’23: The AAAI’s Workshop on Artificial Intelligence Safety, Feb 13-14, 2023, Washington, D.C. $ chenchen990404@163.com (C. Chen)
© 2023 Copyright for this paper by its authors. Use permitted under Creative Commons License train a clean model without any prior knowledge of the CPWrEooUrckReshdoinpgs IhStpN:/c1e6u1r3-w-0s.o7r3g ACttEribUutRion W4.0oInrtekrnsahtioonpal (PCCroBYce4.0e).dings (CEUR-WS.org) backdoor data distribution in the dataset. We divide the task of training a clean model into two stages. The first stage is the filtering of clean dataset. In this stage, we take advantage of two inherent characteristics of backdoor attacks to distinguish clean data from poisoned data. The second stage is the standard model training process using the filtered clean dataset. Our main contributions are as follows:
rithm, we select three representative dirty label attacks:
BadNets[
This section mainly introduces several backdoor attack methods and defense knowledge that rely on the backdoor poisoning attack.
• We put forward a new perspective on the coex- The defense against backdoor attacks mainly consists of istence of multiple backdoors and exploit the in- two aspects. 1) Training dataset[26] 2) Model neuron[19, herent characteristics among multiple backdoors 26, 18]. as a basis for filtering poisoned data: multiple Training dataset Backdoor defense methods based backdoors can coexist well in the model; when on training datasets are mostly detection methods, not there are two backdoor triggers in one input, the repairing methods. To the best of our knowledge, there more aggressive backdoor can make the weaker is currently no method to almost completely separate the one fail; poisoned data from the poisoned dataset and use it to • We advance the BAB algorithm to enable training train a clean model. This is mainly due to 1) For the declean models from poisoned data. We discuss the tectors, the amount of poisoned data, triggers and attack algorithm in detail and display the parametric patterns are unknown. 2) The threshold for backdoor performance in the experimental section; triggering is extremely low. Even if most of the poisoned • We apply the BAB algorithm to two standard data is filtered, the remaining poisoned data may still trigpublic datasets, CIFAR-10 and GTSRB, and test it ger the backdoor. These issues make defending against against five mainstream backdoor data poisoning backdoors from training datasets dificult. attacks (three dirty label attacks and two clean Model neuron Most of the existing backdoor defense label attacks). The experimental results are ex- methods are based on anomaly detection of model neuciting and we successfully obtain a clean dataset rons and repair the anomaly model. But this kind of with a poisoning rate of less than 0.1%, and obtain defense is not practical. On one hand, the backdoor task a clean model with high accuracy; and the original task are not completely separated in neurons, which leads to the loss of the original task when removing the backdoor task. On the other hand, repairing requires the original dataset or a small amount of clean datasets, which is not realistic in some cases.
In this paper, we put forward the BAB (backdoor against backdoor) algorithm. Unlike most existing defense methods, our method does not detect and repair model neurons. Instead, we filter the poisoned data directly from the data source, and employ the filtered data to train a clean model. Our algorithm bridges the gap in the field of backdoor defense from the training dataset.
Moreover, compared with the model neuron-based inpainting method, our BAB algorithm has less loss for the original task and only needs the original dataset.
The backdoor poisoning attack mainly relies on
introducing some malicious data into the training dataset,
which is consistent with the normal model training
during the model training phase. Existing backdoor attacks
are mainly divided into two categories: 1) dirty label
attacks 2) clean label attacks. The earliest dirty label
attacks [
3.1. Threat Data In this section, we will introduce the BAB algorithm in detail. Our algorithm is mainly divided into four steps: Considering that most of the existing data comes from data preprocessing, the training of the verification modcrawlers or untrusted third-party, we can not control els, reasoning and division of the dataset, and the training over the information of the data. Hence, in this paper, of the formal model. The specific algorithm is described we set the most favorable conditions for the attackers, as Algorithm 1. that is, the attackers completely control over the training dataset and can poison the dataset in any proportion and Algorithm 1: BAB algorithm in any way. While as the defender, only this batch of data can be obtained, and the information such as the poisoning rate and poisoning method is unknown.
hypothesis. Here, we take MNIST as the dataset and BadNets as the poisoning method. Suppose that the trainer has a poisoned dataset D, where D sufers two non-conflicting backdoor poisoning attacks ( D = Dclean ∪ Dpoision_1 ∪ Dpoision_2). The trainer draws a random proportion(such as 50%) of the dataset from D each time to train a model set M = {0, 1, . . . , }. Selects ( ∈ D) to input M, when it is a clean data sample ( ∈ Dclean), since training only uses a small amount of data, the output on model set M should be messy, as shown in Fig. 1(A). When there is only one backdoor trigger ( ∈ poision_1 ∪poision_2), the output of the model set M should all point to the target activated by the trigger, as shown in Fig. 1(B). When there are two backdoor triggers ( ∈ Dpoision_1 ∩ Dpoision_2), the strength of the backdoor is not constant due to diferent training data, which also leads to the situation as shown in Fig. 1(C). The output of the model set M should be the target activated by the two triggers.
In view of the above facts, we speculate that if a certain proportion of known backdoors are put into a batch of poisoned data sets and randomly select data to train a batch of models, when backdoor triggers are added to the data, the models’ judgment on clean data should all point to the newly added backdoor class, and for poisoned data, the output class should not only contain the newly added backdoor pointing target.
However, we must consider the following situations. If the backdoor generated by the poisoner is very weak, it may cause that even for the poisoned data, models all point to newly implanted backdoor classes. This results in the omission of poisoned data. Therefore, we need to control the strength of the implanted backdoor, insert a very weak backdoor into the model, but still can be successfully activated by the trigger. In this way, we can make the judgment between clean data and poisoned data.
Initialization: Target{0, 1, . . . , }, Mver ∈ {Mver_0, Mver_1, . . . , Mver_N},Trigger , Data1{0, 1, . . .} →↦− Original Data Data2{0, 1, . . .} →↦− Partial Data1 Carrying Triggers to attack target + 1 Data3{0, 1, . . .} →↦− All Data1 Carrying Triggers ; for M in Mver do for 1...epochs do
M.forward(2); loss=ℒ ; loss.backward(); end end for x in Data3 do for M in Mver do if M()! = + 1 then
Poisioned Data →↦− else
end end end Return Clean Dataset remove
We extract a small portion (such as 10%) of the data, add triggers of arbitrary shape, and modify the model labels to new classes (preventing the same targets as poisoning attacks) and shufle the data to generate a new dataset. After that, we randomly select small parts (such as 50%) of the dataset as training data. Besides, we need an entire dataset plus this trigger for inference and partitioning the data in reasoning and division of the dataset.
els, as shown in Fig 3. Put the dataset generated in the previous step into a batch of simple network models for a small number of iterations. In order to create a backdoor that is as weak as possible but can be successfully activated, we reduce the neuron activation degree gap ( (tri), tri) ensures that the backdoor can be triggered as much as possible when inputting poisoned data and correctly, and 2(, tri) minimizes the gap between the clean data. In addition, We choose one or more layers backdoor data and the clean data in the neural network, of neurons to suppress their activation, and make cer- so that the backdoor we generate is as weak as possitain improvements on the original loss function, just like ble. After extensive experiments, we find that fitting Equation 1. the penultimate layer (the previous layer of the softmax) works best in the same network layer.
Backdoor 4.3. Inference
(1) where is the trained model; and tri are the original The most important step is the division of poisoned data target and the backdoor attack target, respectively; and and clean data, as shown in Fig. 4. Through simple train tri are the activation values of clean data and backdoor ing, we get a batch of simple neural network verification data, respectively; is a hyper-parameter used to coordi- models. Then, we feed the verification data sequentially nate the activation of inhibitory neurons. In Equation 1, into the verification model. When the verification data passes all verification models, we consider the data to be both adopt the open source code of the original paper. clean; otherwise, the data is illegally poisoned by others. We have not exploited any data augmentation techniques There will be some accidental injuries due to the accu- to avoid side efects on attack success rate. In subsequent racy of the implanted backdoor, but this is inevitable. In experiments, we mainly take the CIFAR-10 dataset as the subsequent experiments, we find that these accidental test dataset because its data distribution is more uniform. injuries are acceptable in small amounts. Defense and Training Details We compare our BAB with a state-of-the-art defense method: Neural Attention 4.4. Formal Model Training Distillation (NAD)[27]. For NAD, we follow the configuration specified in original papers.
After the above steps, a batch of clean data can be ob- NAD We take open source code 3 as a base for extentained, and a clean model can be obtained by training in sions. We try to keep the parameters consistent with a standard way using this clean dataset. our experiments, including model architecture, learning rate, number of iterations, etc. In addition, following the 5. Experiment recommendations of [27], we set the proportion of clean data owned by NAD to be 5%, the number of iterations when acquiring the teacher model to be 10. When using 5.1. Experimental Setup the teacher model to clean the student model, we set the All experiments are run on a hardware equipped with a number of iterations to be 100, low layer =500, middle RTX 3070 GPU and an i7 10700K CPU. layer =1000, high layer =1000.
Attack Configurations We consider 5 backdoor at- BAB On the CIFAR-10 dataset, we set N=10, =0.2,
tacks in our experiments, including three dirty label R=0.5, and use the Adam optimizer to train the
verificaattacks: BadNets[
Refool poisoning attacks to be 1, and the target label of Evaluation Metrics We employ two commonly used the rest of the poisoning attacks to be 0. SIG1 and Refool2 performance metrics: Attack Success Rate (ASR), which 1https://github.com/bboylyg/NAD 2https://github.com/DreamtaleCore/Refool 3https://github.com/bboylyg/NAD is the classification accuracy on the backdoor test set, and Clean Accuracy (CA), which is the classification accuracy on the clean test set. In addition, we calculated the residual retention rate of clean data (CDR) and the residual rate of poisoned data(PDR).
addition, we find that when N>10, the poisoned data has almost been filtered out, the clean data of Refool and SIG attacks are gradually lost, while the data is relatively stable in the other three attacks. We believe that it is because Refool and SIG are clean label attacks that only mix the trigger pattern (i.e. superimposed sinusoidal signal or natural reflection) with the background of the poisoned image, which makes this type of attack relatively weak, resulting in mass misjudgments. In fact, the BAB algorithm with the number of models N=10 is suficient to withstand these five attacks, even when the backdoor poisoning rate is extremely high, i.e. 70%, or a variety of backdoor attacks (see Section. 3).
Here, we investigate the efect of the number N of verifi- Here, we test when BAB encounters some extremes. Now
cation models on filtered clean datasets versus residual we know that the BAB algorithm can filter the poisoned
poisoned data on CIFAR-10. Our goal is to keep the clean data well and train a clean model.
dataset as much as possible while filtering the poisoned Therefore, the challenge for the BAB algorithm is
data, so that a clean and more accurate model can be whether the BAB algorithm can still filter out a clean
trained in the formal training phase. We run the BAB al- dataset at a small cost and train a clean model when it
gorithm on N belonging to [
attack success rate (ASR) from more than 90% to less than 5% with the mixed attack of BadNets and Refool and the mixed attack of BadNets and CBA. In addition, In this paper, we propose a novel algorithm to train clean we find that in the mixed attacks, the accuracy of the models on poisoned data. Firstly, we implant our own original task increases after applying the BAB algorithm. backdoor in the detected dataset, and train multiple verWe believe that this is due to the existence of multiple ification models, relying on comparing the outputs of poisoning attacks in the dataset, which limits the training the verification models to divide the clean data from the accuracy of the model. After the BAB algorithm filters poisoned data. Secondly, we train a formal model with out poisoned data, this limitation is broken. Overall, our the partitioned clean dataset. We apply our algorithm BAB algorithm has good robustness. to two diferent datasets, experimenting with five attack modalities. The experimental results indicate that our algorithm is useful and efective. Subsequently, we also analyze and discuss how to choose the parameters reasonably and the robustness of the algorithm. Overall, our work provides a feasible direction for training clean models on poisoned data.
Natural Science Foundation of China (NSFC) (Grant Nos.61602408,61972352,U1709217) and Zhejiang Provincial Natural Science Foundation of China under Grant (Nos.LY19F020005, LY18F020009). [26] B. Chen, W. Carvalho, N. Baracaldo, H. Ludwig, B. Edwards, T. Lee, I. Molloy, B. Srivastava, Detecting backdoor attacks on deep neural networks by activation clustering, in: SafeAI@ AAAI, 2019. [27] Y. Li, X. Lyu, N. Koren, L. Lyu, B. Li, X. Ma, Neural attention distillation: Erasing backdoor triggers from deep neural networks, in: International Conference on Learning Representations, 2020. [28] A. Krizhevsky, G. Hinton, et al., Learning multiple layers of features from tiny images (2009). [29] J. Stallkamp, M. Schlipsing, J. Salmen, C. Igel, Man vs. computer: Benchmarking machine learning algorithms for trafic sign recognition, Neural networks 32 (2012) 323–332.