Spectral Signatures in Backdoor Attacks

  • 2018-11-01 21:12:01
  • Brandon Tran, Jerry Li, Aleksander Madry
  • 32


A recent line of work has uncovered a new form of data poisoning: so-called\emph{backdoor} attacks. These attacks are particularly dangerous because theydo not affect a network's behavior on typical, benign data. Rather, the networkonly deviates from its expected output when triggered by a perturbation plantedby an adversary. In this paper, we identify a new property of all known backdoor attacks,which we call \emph{spectral signatures}. This property allows us to utilizetools from robust statistics to thwart the attacks. We demonstrate the efficacyof these signatures in detecting and removing poisoned examples on real imagesets and state of the art neural network architectures. We believe thatunderstanding spectral signatures is a crucial first step towards designing MLsystems secure against such backdoor attacks


Introduction (beta)



Conclusion (beta)