Trojan attacks on deep neural networks are both dangerous and surreptitious. Over the past few years, Trojan attacks have advanced from using only a single input-agnostic trigger and targeting only one class to using multiple, input-specific triggers and targeting multiple classes. However, Trojan defenses have not caught up with this development. Most defense methods still make inadequate assumptions about Trojan triggers and target classes, thus, can be easily circumvented by modern Trojan attacks. To deal with this problem, we propose two novel "filtering" defenses called Variational Input Filtering (VIF) and Adversarial Input Filtering (AIF) which leverage lossy data compression and adversarial learning respectively to effectively purify potential Trojan triggers in the input at run time without making assumptions about the number of triggers/target classes or the input dependence property of triggers. In addition, we introduce a new defense mechanism called "Filtering-then-Contrasting" (FtC) which helps avoid the drop in classification accuracy on clean data caused by "filtering", and combine it with VIF/AIF to derive new defenses of this kind. Extensive experimental results and ablation studies show that our proposed defenses significantly outperform well-known baseline defenses in mitigating five advanced Trojan attacks including two recent state-of-the-art while being quite robust to small amounts of training data and large-norm triggers.

翻译：对深层神经网络的Trojan攻击既危险又神秘。 在过去的几年里,Trojan攻击从只使用一个输入-不可知的触发器,而只针对一个等级,而是使用多个特定输入的触发器和针对多个等级。然而,Trojan防御没有赶上这一发展。大多数防御方法仍然对Trojan触发器和目标类别作出不充分的假设,因此,可以很容易地被现代Trojan攻击所绕过。为了解决这个问题,我们提议了两个新型的“过滤”防御系统,称为“静态输入过滤(VIF)”和反向输入过滤(AIF),分别利用损失数据压缩和对抗性学习来有效净化输入中潜在的Trojan触发器和针对多个类别。此外,我们引入了一个新的防御机制,称为“调控-定” (Ftloral) 。 这有助于避免“过滤” 和反动输入输入过滤(AIF) 过滤(AIF) 和对抗性输入(AIF) 的过滤器过滤(AIF) 过滤(AIF) 过滤(AIF) (AIF) (AIF) (A-IF) (A) (A-IF-IF-ITR) (A) (ART) (Arrent) (A) (A) (A) (A) (arrent) (arrent) (A) (aut) (aut) (aut) (A) (A) (Arrent) (Adrent) (A) (Adrent) (Adrent) (Adrent) (aut) (a) (A) (A) (a) (aut) (a) (a) (a) (a) (A) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a) (a