Chengyu Jia;Jinyin Chen;Shouling Ji;Yao Cheng;Haibin Zheng;Qi Xuan
{"title":"Backdoor Online Tracing With Evolving Graphs","authors":"Chengyu Jia;Jinyin Chen;Shouling Ji;Yao Cheng;Haibin Zheng;Qi Xuan","doi":"10.1109/TIFS.2024.3488517","DOIUrl":null,"url":null,"abstract":"The backdoor attacks have posed a severe threat to deep neural networks (DNNs). Online training platforms and third-party model training providers are more vulnerable to backdoor attacks due to uncontrollable data sources, untrusted developers or unmonitorable training processes. Researchers have proposed to detect the backdoor in the well-trained models, and then remove them by some mitigation techniques, e.g., retraining and pruning. However, they are still limited from two aspects: (i) real-time - they cannot detect in time at the beginning of training due to their reliance on well-trained models; (ii) mitigation effect - the later discovery of backdoors usually leads to 1) deeper backdoors, 2) less effective mitigation, and 3) greater costs. To address these challenges, we rethink the evolution of the backdoor, and intend to cope with backdoors along with the online training process, that is to detect the backdoors sooner rather than later. We propose BackdoorTracer, a novel framework that detects the backdoor in the training phase. BackdoorTracer constructs the model into an equivalent graph based on the activated neural path during training, thereby detecting the backdoor through multiple graph metrics. BackdoorTracer can incorporate any existing backdoor mitigation approaches that require accessing training to stop the impact of backdoors as soon as possible. It differs from previous works in several key aspects: (i) lightweight - BackdoorTracer is independent of the training process, and thus it has little negative impact on the training efficiency and testing accuracy; (ii) generalizable - it works different modalities of data, models and different backdoor attacks. BackdoorTracer outperforms the state-of-the-art (SOTA) detection approaches in experiments on 5 modes, 10 models and 9 backdoor attack scenarios. Compared with the existing 5 backdoor detection methods, our method can detect backdoors earlier (\n<inline-formula> <tex-math>$\\sim ~1.5$ </tex-math></inline-formula>\n epochs) and higher detection rate (~ +10%), effectively improving the effectiveness of backdoor defense (ASR. ~ -78%, ACC. +47%). Finally, we make BackdoorTracer a plug-and-play backdoor detector, which enables real-time backdoor tracing in the training phase.","PeriodicalId":13492,"journal":{"name":"IEEE Transactions on Information Forensics and Security","volume":"19 ","pages":"10314-10327"},"PeriodicalIF":6.3000,"publicationDate":"2024-11-13","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"IEEE Transactions on Information Forensics and Security","FirstCategoryId":"94","ListUrlMain":"https://ieeexplore.ieee.org/document/10752589/","RegionNum":1,"RegionCategory":"计算机科学","ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q1","JCRName":"COMPUTER SCIENCE, THEORY & METHODS","Score":null,"Total":0}
引用次数: 0
Abstract
The backdoor attacks have posed a severe threat to deep neural networks (DNNs). Online training platforms and third-party model training providers are more vulnerable to backdoor attacks due to uncontrollable data sources, untrusted developers or unmonitorable training processes. Researchers have proposed to detect the backdoor in the well-trained models, and then remove them by some mitigation techniques, e.g., retraining and pruning. However, they are still limited from two aspects: (i) real-time - they cannot detect in time at the beginning of training due to their reliance on well-trained models; (ii) mitigation effect - the later discovery of backdoors usually leads to 1) deeper backdoors, 2) less effective mitigation, and 3) greater costs. To address these challenges, we rethink the evolution of the backdoor, and intend to cope with backdoors along with the online training process, that is to detect the backdoors sooner rather than later. We propose BackdoorTracer, a novel framework that detects the backdoor in the training phase. BackdoorTracer constructs the model into an equivalent graph based on the activated neural path during training, thereby detecting the backdoor through multiple graph metrics. BackdoorTracer can incorporate any existing backdoor mitigation approaches that require accessing training to stop the impact of backdoors as soon as possible. It differs from previous works in several key aspects: (i) lightweight - BackdoorTracer is independent of the training process, and thus it has little negative impact on the training efficiency and testing accuracy; (ii) generalizable - it works different modalities of data, models and different backdoor attacks. BackdoorTracer outperforms the state-of-the-art (SOTA) detection approaches in experiments on 5 modes, 10 models and 9 backdoor attack scenarios. Compared with the existing 5 backdoor detection methods, our method can detect backdoors earlier (
$\sim ~1.5$
epochs) and higher detection rate (~ +10%), effectively improving the effectiveness of backdoor defense (ASR. ~ -78%, ACC. +47%). Finally, we make BackdoorTracer a plug-and-play backdoor detector, which enables real-time backdoor tracing in the training phase.
期刊介绍:
The IEEE Transactions on Information Forensics and Security covers the sciences, technologies, and applications relating to information forensics, information security, biometrics, surveillance and systems applications that incorporate these features