Existing research on training-time attacks for deep neural networks (DNNs), such as backdoors, largely assume that models are static once trained, and hidden backdoors trained into models remain active indefinitely. In practice, models are rarely static but evolve continuously to address distribution drifts in the underlying data. This paper explores the behavior of backdoor attacks in time-varying models, whose model weights are continually updated via fine-tuning to adapt to data drifts. Our theoretical analysis shows how fine-tuning with fresh data progressively "erases" the injected backdoors, and our empirical study illustrates how quickly a time-varying model "forgets" backdoors under a variety of training and attack settings. We also show that novel fine-tuning strategies using smart learning rates can significantly accelerate backdoor forgetting. Finally, we discuss the need for new backdoor defenses that target time-varying models specifically.

翻译：现有关于深度神经网络（DNN）训练时攻击（如后门攻击）的研究，大多假设模型在训练后保持静态，且植入的隐藏后门将永久保持活跃状态。然而在实际应用中，模型极少保持静态，而是会持续演化以应对底层数据的分布漂移。本文探究了时变模型中后门攻击的行为特征——此类模型的权重通过微调持续更新以适应数据漂移。我们的理论分析表明，利用新数据的微调会逐步"擦除"植入的后门，而实证研究则揭示了时变模型在不同训练与攻击配置下"遗忘"后门的速度。我们还发现，采用智能学习率的新型微调策略能够显著加速后门遗忘。最后，本文探讨了专门针对时变模型设计新型后门防御方法的必要性。