Object detection models are vulnerable to backdoor attacks, where attackers poison a small subset of training samples by embedding a predefined trigger to manipulate prediction. Detecting poisoned samples (i.e., those containing triggers) at test time can prevent backdoor activation. However, unlike image classification tasks, the unique characteristics of object detection -- particularly its output of numerous objects -- pose fresh challenges for backdoor detection. The complex attack effects (e.g., "ghost" object emergence or "vanishing" object) further render current defenses fundamentally inadequate. To this end, we design TRAnsformation Consistency Evaluation (TRACE), a brand-new method for detecting poisoned samples at test time in object detection. Our journey begins with two intriguing observations: (1) poisoned samples exhibit significantly more consistent detection results than clean ones across varied backgrounds. (2) clean samples show higher detection consistency when introduced to different focal information. Based on these phenomena, TRACE applies foreground and background transformations to each test sample, then assesses transformation consistency by calculating the variance in objects confidences. TRACE achieves black-box, universal backdoor detection, with extensive experiments showing a 30% improvement in AUROC over state-of-the-art defenses and resistance to adaptive attacks.

翻译：目标检测模型易受后门攻击，攻击者通过在少量训练样本中嵌入预定义触发器来污染数据，从而操纵预测结果。在测试时检测被污染样本（即包含触发器的样本）可防止后门激活。然而，与图像分类任务不同，目标检测的独特特性——尤其是其输出大量目标的特点——为后门检测带来了新的挑战。复杂的攻击效应（例如"幽灵"目标出现或目标"消失"现象）进一步导致现有防御方法存在根本性不足。为此，我们设计了变换一致性评估（TRACE），这是一种在目标检测中实现测试时污染样本检测的全新方法。我们的研究始于两个关键发现：（1）在不同背景变换下，被污染样本比干净样本表现出显著更高的检测结果一致性。（2）当引入不同焦点信息时，干净样本会呈现更高的检测一致性。基于这些现象，TRACE对每个测试样本进行前景与背景变换，随后通过计算目标置信度的方差来评估变换一致性。TRACE实现了黑盒通用后门检测，大量实验表明其在AUROC指标上较现有最优防御方法提升30%，并能有效抵抗自适应攻击。