Deep learning models achieve excellent performance in numerous machine learning tasks. Yet, they suffer from security-related issues such as adversarial examples and poisoning (backdoor) attacks. A deep learning model may be poisoned by training with backdoored data or by modifying inner network parameters. Then, a backdoored model performs as expected when receiving a clean input, but it misclassifies when receiving a backdoored input stamped with a pre-designed pattern called "trigger". Unfortunately, it is difficult to distinguish between clean and backdoored models without prior knowledge of the trigger. This paper proposes a backdoor detection method by utilizing a special type of adversarial attack, universal adversarial perturbation (UAP), and its similarities with a backdoor trigger. We observe an intuitive phenomenon: UAPs generated from backdoored models need fewer perturbations to mislead the model than UAPs from clean models. UAPs of backdoored models tend to exploit the shortcut from all classes to the target class, built by the backdoor trigger. We propose a novel method called Universal Soldier for Backdoor detection (USB) and reverse engineering potential backdoor triggers via UAPs. Experiments on 345 models trained on several datasets show that USB effectively detects the injected backdoor and provides comparable or better results than state-of-the-art methods.

翻译：深度学习模型在众多机器学习任务中表现优异。然而，它们面临对抗样本和投毒（后门）攻击等安全问题。深度学习模型可能因使用包含后门的数据训练或修改内部网络参数而被投毒。被植入后门的模型在接收干净输入时表现正常，但当接收带有预设图案（称为"触发器"）的后门输入时，会做出错误分类。遗憾的是，在缺乏触发器先验知识的情况下，难以区分干净模型与后门模型。本文提出一种后门检测方法，利用特殊类型的对抗攻击——通用对抗扰动（UAP）及其与后门触发器的相似性。我们观察到一种直观现象：从后门模型生成的UAP相比干净模型生成的UAP，需要更少的扰动即可误导模型。后门模型的UAP倾向于利用后门触发器建立的从所有类别到目标类别的捷径。我们提出一种名为"通用士兵后门检测"（USB）的新方法，通过UAP逆向工程潜在的后门触发器。在多个数据集上训练的345个模型上的实验表明，USB能有效检测注入的后门，并提供与现有最优方法相当或更优的结果。