Adversaries can embed backdoors in deep learning models by introducing backdoor poison samples into training datasets. In this work, we investigate how to detect such poison samples to mitigate the threat of backdoor attacks. First, we uncover a post-hoc workflow underlying most prior work, where defenders passively allow the attack to proceed and then leverage the characteristics of the post-attacked model to uncover poison samples. We reveal that this workflow does not fully exploit defenders' capabilities, and defense pipelines built on it are prone to failure or performance degradation in many scenarios. Second, we suggest a paradigm shift by promoting a proactive mindset in which defenders engage proactively with the entire model training and poison detection pipeline, directly enforcing and magnifying distinctive characteristics of the post-attacked model to facilitate poison detection. Based on this, we formulate a unified framework and provide practical insights on designing detection pipelines that are more robust and generalizable. Third, we introduce the technique of Confusion Training (CT) as a concrete instantiation of our framework. CT applies an additional poisoning attack to the already poisoned dataset, actively decoupling benign correlation while exposing backdoor patterns to detection. Empirical evaluations on 4 datasets and 14 types of attacks validate the superiority of CT over 11 baseline defenses.

翻译：攻击者可通过在训练数据集中注入后门投毒样本，在深度学习模型中植入后门。本研究旨在探索如何检测此类投毒样本以缓解后门攻击威胁。首先，我们发现现有研究普遍采用的是一种事后处理工作流：防御方被动允许攻击发生，随后利用受攻击后模型的特征来识别投毒样本。我们揭示该工作流未能充分发挥防御能力，基于此构建的防御管线在多场景下易出现失效或性能退化。其次，我们提出范式转变，倡导主动防御思维——防御方应主动介入整个模型训练与投毒检测管线，直接强化并放大受攻击后模型的独特特征以辅助检测。基于此思想，我们构建统一框架，并为设计更具鲁棒性与泛化能力的检测管线提供实践指导。第三，我们提出混淆训练（Confusion Training, CT）技术作为该框架的具体实现。CT通过对已投毒数据集施加额外攻击，主动解耦良性关联并暴露后门模式。在4个数据集与14种攻击类型上的实验验证表明，CT相较11种基线防御方法具有显著优越性。