Backdoor attacks are serious security threats to machine learning models where an adversary can inject poisoned samples into the training set, causing a backdoored model which predicts poisoned samples with particular triggers to particular target classes, while behaving normally on benign samples. In this paper, we explore the task of purifying a backdoored model using a small clean dataset. By establishing the connection between backdoor risk and adversarial risk, we derive a novel upper bound for backdoor risk, which mainly captures the risk on the shared adversarial examples (SAEs) between the backdoored model and the purified model. This upper bound further suggests a novel bi-level optimization problem for mitigating backdoor using adversarial training techniques. To solve it, we propose Shared Adversarial Unlearning (SAU). Specifically, SAU first generates SAEs, and then, unlearns the generated SAEs such that they are either correctly classified by the purified model and/or differently classified by the two models, such that the backdoor effect in the backdoored model will be mitigated in the purified model. Experiments on various benchmark datasets and network architectures show that our proposed method achieves state-of-the-art performance for backdoor defense.

翻译：后门攻击是对机器学习模型的严重安全威胁，攻击者可将中毒样本注入训练集，使模型在正常样本上表现正常，但对带有特定触发器的中毒样本预测为特定目标类别。本文探索利用少量干净数据集净化后门模型的任务。通过建立后门风险与对抗风险之间的联系，推导出后门风险的新上界，该上界主要捕获后门模型与净化模型之间的共享对抗样本（SAEs）的风险。这一上界进一步提出了一种利用对抗训练技术缓解后门的新型双层优化问题。为解决该问题，我们提出共享对抗性遗忘（SAU）。具体而言，SAU首先生成SAEs，然后通过遗忘生成的SAEs使其被净化模型正确分类和/或被两种模型差异化分类，从而在后门模型中抑制的后门效应将在净化模型中得到缓解。在多个基准数据集和网络架构上的实验表明，我们提出的方法在后门防御中达到了最优性能。