Deep Neural Networks (DNNs) have been widely used in many areas such as autonomous driving and face recognition. However, DNN model is fragile to backdoor attack. A backdoor in the DNN model can be activated by a poisoned input with trigger and leads to wrong prediction, which causes serious security issues in applications. It is challenging for current defenses to eliminate the backdoor effectively with limited computing resources, especially when the sizes and numbers of the triggers are variable as in the physical world. We propose an efficient backdoor defense based on evolutionary trigger detection and lightweight model repair. In the first phase of our method, CAM-focus Evolutionary Trigger Filter (CETF) is proposed for trigger detection. CETF is an effective sample-preprocessing based method with the evolutionary algorithm, and our experimental results show that CETF not only distinguishes the images with triggers accurately from the clean images, but also can be widely used in practice for its simplicity and stability in different backdoor attack situations. In the second phase of our method, we leverage several lightweight unlearning methods with the trigger detected by CETF for model repair, which also constructively demonstrate the underlying correlation of the backdoor with Batch Normalization layers. Source code will be published after accepted.

翻译：深度神经网络（DNNs）已广泛应用于自动驾驶、人脸识别等诸多领域。然而，DNN模型易受后门攻击。模型中的后门可被携带触发器的投毒输入激活，导致错误预测，从而在应用中引发严重的安全问题。现有防御方法在计算资源有限的情况下难以有效消除后门，尤其是在物理世界中触发器的尺寸和数量可变时更具挑战性。本文提出一种基于进化触发检测与轻量级模型修复的高效后门防御方法。该方法的第一阶段提出CAM聚焦进化触发过滤器（CETF）进行触发器检测。CETF是一种结合进化算法的有效样本预处理方法，实验结果表明，CETF不仅能准确区分含触发器图像与干净图像，且因其在不同后门攻击场景下的简易性与稳定性而具备广泛实用价值。在第二阶段，我们利用CETF检测到的触发器，采用多种轻量级遗忘学习方法进行模型修复，这也从构造性角度证明了后门与批归一化层之间的潜在关联。源代码将在论文录用后公开。