Deep learning models achieve excellent performance in numerous machine learning tasks. Yet, they suffer from security-related issues such as adversarial examples and poisoning (backdoor) attacks. A deep learning model may be poisoned by training with backdoored data or by modifying inner network parameters. Then, a backdoored model performs as expected when receiving a clean input, but it misclassifies when receiving a backdoored input stamped with a pre-designed pattern called "trigger". Unfortunately, it is difficult to distinguish between clean and backdoored models without prior knowledge of the trigger. This paper proposes a backdoor detection method by utilizing a special type of adversarial attack, universal adversarial perturbation (UAP), and its similarities with a backdoor trigger. We observe an intuitive phenomenon: UAPs generated from backdoored models need fewer perturbations to mislead the model than UAPs from clean models. UAPs of backdoored models tend to exploit the shortcut from all classes to the target class, built by the backdoor trigger. We propose a novel method called Universal Soldier for Backdoor detection (USB) and reverse engineering potential backdoor triggers via UAPs. Experiments on 345 models trained on several datasets show that USB effectively detects the injected backdoor and provides comparable or better results than state-of-the-art methods.

翻译：深度学习模型在众多机器学习任务中表现出卓越性能。然而，它们面临着诸如对抗样本和中毒（后门）攻击等安全性问题。深度学习模型可能因使用带后门的数据进行训练或修改内部网络参数而中毒。此后，受后门攻击的模型在接收干净输入时表现正常，但接收带有预设模式（称为"触发器"）的后门输入时则会产生误分类。遗憾的是，在缺乏触发器先验知识的情况下，难以区分干净模型与受后门攻击模型。本文提出了一种后门检测方法，利用特殊类型的对抗攻击——通用对抗扰动（UAP）及其与后门触发器的相似性。我们观察到一类直观现象：从受后门攻击模型生成的UAP，需要更少的扰动就能误导模型，而干净模型生成的UAP则需更多扰动。受后门攻击模型的UAP倾向于利用后门触发器构建的从所有类别到目标类别的捷径。我们提出了一种新颖方法——用于后门检测的通用士兵（USB），通过UAP逆向工程潜在的后门触发器。在多个数据集训练的345个模型上的实验表明，USB能有效检测被注入的后门，并且相比现有最先进方法提供了相当或更优的结果。