Backdoor (Trojan) attack is a common threat to deep neural networks, where samples from one or more source classes embedded with a backdoor trigger will be misclassified to adversarial target classes. Existing methods for detecting whether a classifier is backdoor attacked are mostly designed for attacks with a single adversarial target (e.g., all-to-one attack). To the best of our knowledge, without supervision, no existing methods can effectively address the more general X2X attack with an arbitrary number of source classes, each paired with an arbitrary target class. In this paper, we propose UMD, the first Unsupervised Model Detection method that effectively detects X2X backdoor attacks via a joint inference of the adversarial (source, target) class pairs. In particular, we first define a novel transferability statistic to measure and select a subset of putative backdoor class pairs based on a proposed clustering approach. Then, these selected class pairs are jointly assessed based on an aggregation of their reverse-engineered trigger size for detection inference, using a robust and unsupervised anomaly detector we proposed. We conduct comprehensive evaluations on CIFAR-10, GTSRB, and Imagenette dataset, and show that our unsupervised UMD outperforms SOTA detectors (even with supervision) by 17%, 4%, and 8%, respectively, in terms of the detection accuracy against diverse X2X attacks. We also show the strong detection performance of UMD against several strong adaptive attacks.

翻译：后门（木马）攻击是深度神经网络面临的常见威胁，嵌入后门触发器的单个或多个源类样本将被错误分类至对抗目标类别。现有检测分类器是否遭受后门攻击的方法多针对单一对抗目标（如全对一攻击）设计。据我们所知，当前尚无无监督方法能有效处理更具普遍性的X2X攻击——这类攻击允许任意数量的源类与任意目标类配对。本文提出UMD，首个通过联合推断对抗（源，目标）类别对来有效检测X2X后门攻击的无监督模型检测方法。具体而言，我们首先定义一种新颖的迁移统计量，基于所提出的聚类方法度量和选择疑似后门类别对子集；随后通过聚合这些选定类别对的反向工程触发器大小进行检测推断，并采用我们提出的鲁棒无监督异常检测器。我们在CIFAR-10、GTSRB和Imagenette数据集上进行全面评估，结果表明，针对多样化X2X攻击，我们的无监督UMD在检测准确率上分别比现有最优检测器（包括有监督方法）高出17%、4%和8%。我们还展示了UMD在应对多种强自适应攻击时的强大检测性能。