Visible to the public Quarantine: Sparsity Can Uncover the Trojan Attack Trigger for Free

TitleQuarantine: Sparsity Can Uncover the Trojan Attack Trigger for Free
Publication TypeConference Paper
Year of Publication2022
AuthorsChen, Tianlong, Zhang, Zhenyu, Zhang, Yihua, Chang, Shiyu, Liu, Sijia, Wang, Zhangyang
Conference Name2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR)
Date Publishedjun
KeywordsAdversarial attack and defense, AI Poisoning, Computer vision, Deep Learning, Deep learning architectures and techniques, Human Behavior, network architecture, Neural networks, Pattern recognition, pubcrawl, resilience, Resiliency, Scalability, Training, Training data
AbstractTrojan attacks threaten deep neural networks (DNNs) by poisoning them to behave normally on most samples, yet to produce manipulated results for inputs attached with a particular trigger. Several works attempt to detect whether a given DNN has been injected with a specific trigger during the training. In a parallel line of research, the lottery ticket hypothesis reveals the existence of sparse sub-networks which are capable of reaching competitive performance as the dense network after independent training. Connecting these two dots, we investigate the problem of Trojan DNN detection from the brand new lens of sparsity, even when no clean training data is available. Our crucial observation is that the Trojan features are significantly more stable to network pruning than benign features. Leveraging that, we propose a novel Trojan network detection regime: first locating a "winning Trojan lottery ticket" which preserves nearly full Trojan information yet only chance-level performance on clean inputs; then recovering the trigger embedded in this already isolated sub-network. Extensive experiments on various datasets, i.e., CIFAR-10, CIFAR-100, and ImageNet, with different network architectures, i.e., VGG-16, ResNet-18, ResNet-20s, and DenseNet-100 demonstrate the effectiveness of our proposal. Codes are available at https://github.com/VITA-Group/Backdoor-LTH.
DOI10.1109/CVPR52688.2022.00068
Citation Keychen_quarantine_2022