Exposing Backdoors in Robust Machine Learning Models

25 Feb 2020  ·  Ezekiel Soremekun, Sakshi Udeshi, Sudipta Chattopadhyay ·

The introduction of robust optimisation has pushed the state-of-the-art in defending against adversarial attacks. However, the behaviour of such optimisation has not been studied in the light of a fundamentally different class of attacks called backdoors. In this paper, we demonstrate that adversarially robust models are susceptible to backdoor attacks. Subsequently, we observe that backdoors are reflected in the feature representation of such models. Then, this observation is leveraged to detect backdoor-infected models via a detection technique called AEGIS. Specifically, AEGIS uses feature clustering to effectively detect backdoor-infected robust Deep Neural Networks (DNNs). In our evaluation of several visible and hidden backdoor triggers on major classification tasks using CIFAR-10, MNIST and FMNIST datasets, AEGIS effectively detects robust DNNs infected with backdoors. AEGIS detects a backdoor-infected model with 91.6% accuracy, without any false positives. Furthermore, AEGIS detects the targeted class in the backdoor-infected model with a reasonably low (11.1%) false positive rate. Our investigation reveals that salient features of adversarially robust DNNs break the stealthy nature of backdoor attacks.

PDF Abstract

Results from the Paper

  Submit results from this paper to get state-of-the-art GitHub badges and help the community compare results to other papers.


No methods listed for this paper. Add relevant methods here