Spectral Signatures in Backdoor Attacks
About
A recent line of work has uncovered a new form of data poisoning: so-called \emph{backdoor} attacks. These attacks are particularly dangerous because they do not affect a network's behavior on typical, benign data. Rather, the network only deviates from its expected output when triggered by a perturbation planted by an adversary. In this paper, we identify a new property of all known backdoor attacks, which we call \emph{spectral signatures}. This property allows us to utilize tools from robust statistics to thwart the attacks. We demonstrate the efficacy of these signatures in detecting and removing poisoned examples on real image sets and state of the art neural network architectures. We believe that understanding spectral signatures is a crucial first step towards designing ML systems secure against such backdoor attacks
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Backdoor Detection | CIFAR-10 | -- | 120 | |
| Backdoor Detection | GTSRB | TPR47.6 | 39 | |
| Poisoning Defense | 24 datasets averaged | Poison Accuracy37.17 | 13 | |
| Backdoor Detection | CIFAR-10 imbalanced µ=0.9, ρ=100 (test) | Badnets TPR29.7 | 13 | |
| Backdoor Sample Detection | CIFAR-10 balanced rho=1 (train test) | Badnets TPR93.1 | 13 | |
| Backdoor Sample Detection | CIFAR-10 imbalanced mu=0.9, rho=200 (train test) | Badnets TPR0.1 | 13 | |
| Backdoor Detection | CIFAR-10 imbalanced µ=0.9, ρ=2 (test) | Badnets TPR55.6 | 13 | |
| Backdoor Sample Detection | CIFAR-10 imbalanced mu=0.9, rho=10 (train test) | Badnets TPR35.2 | 13 | |
| Backdoor Detection | Tiny-ImageNet | TPR48 | 12 |