Backdoor attacks have emerged as an urgent threat to Deep Neural Networks (DNNs), where victim DNNs are furtively implanted with malicious neurons that could be triggered by the adversary. To defend against backdoor attacks, many works establish a staged pipeline to remove backdoors from victim DNNs: inspecting, locating, and erasing. However, in a scenario where a few clean data can be accessible, such pipeline is fragile and cannot erase backdoors completely without sacrificing model accuracy. To address this issue, in this paper, we propose a novel data-free holistic backdoor erasing (DHBE) framework. Instead of the staged pipeline, the DHBE treats the backdoor erasing task as a unified adversarial procedure, which seeks equilibrium between two different competing processes: distillation and backdoor regularization. In distillation, the backdoored DNN is distilled into a proxy model, transferring its knowledge about clean data, yet backdoors are simultaneously transferred. In backdoor regularization, the proxy model is holistically regularized to prevent from infecting any possible backdoor transferred from distillation. These two processes jointly proceed with data-free adversarial optimization until a clean, high-accuracy proxy model is obtained. With the novel adversarial design, our framework demonstrates its superiority in three aspects: 1) minimal detriment to model accuracy, 2) high tolerance for hyperparameters, and 3) no demand for clean data. Extensive experiments on various backdoor attacks and datasets are performed to verify the effectiveness of the proposed framework. Code is available at \url{https://github.com/yanzhicong/DHBE}

翻译：后门攻击已成为深度神经网络（DNN）面临的紧迫威胁——受害DNN被秘密植入恶意神经元，一旦被攻击者触发即可造成危害。为防御后门攻击，现有工作通常建立分阶段流程：检测、定位和擦除。然而，在仅有少量干净数据可用的场景下，这种流程十分脆弱，无法在不牺牲模型精度的前提下完全擦除后门。针对此问题，本文提出一种新颖的无数据整体后门擦除（DHBE）框架。与分阶段流程不同，DHBE将后门擦除任务视为统一的对抗过程，在蒸馏与后门正则化两个竞争过程之间寻求平衡。蒸馏阶段将带后门的DNN蒸馏至代理模型，传递其关于干净数据的知识，但后门也随之转移；后门正则化阶段则对代理模型进行整体约束，防止其感染从蒸馏过程中转移的任何潜在后门。这两个过程通过无数据对抗优化联合推进，直至获得干净且高精度的代理模型。凭借这种新颖的对抗设计，本框架在三个方面展现出优越性：1）对模型精度影响极小；2）对超参数容忍度高；3）无需干净数据。我们在各类后门攻击和数据集上进行了大量实验，验证了所提框架的有效性。代码见\url{https://github.com/yanzhicong/DHBE}