The backdoor attack, where the adversary uses inputs stamped with triggers (e.g., a patch) to activate pre-planted malicious behaviors, is a severe threat to Deep Neural Network (DNN) models. Trigger inversion is an effective way of identifying backdoor models and understanding embedded adversarial behaviors. A challenge of trigger inversion is that there are many ways of constructing the trigger. Existing methods cannot generalize to various types of triggers by making certain assumptions or attack-specific constraints. The fundamental reason is that existing work does not consider the trigger's design space in their formulation of the inversion problem. This work formally defines and analyzes the triggers injected in different spaces and the inversion problem. Then, it proposes a unified framework to invert backdoor triggers based on the formalization of triggers and the identified inner behaviors of backdoor models from our analysis. Our prototype UNICORN is general and effective in inverting backdoor triggers in DNNs. The code can be found at https://github.com/RU-System-Software-and-Security/UNICORN.

翻译：后门攻击是一种严重威胁深度神经网络（DNN）模型的安全攻击方式，攻击者使用带有触发器（例如补丁）的输入来激活预先植入的恶意行为。触发器逆向是识别后门模型并理解其嵌入的对抗性行为的有效方法。触发器逆向面临的一个挑战在于触发器有多种构建方式。现有方法通过做出特定假设或施加攻击特定约束，无法泛化至多种触发器类型。其根本原因在于，现有工作在制定逆向问题时未考虑触发器的设计空间。本研究正式定义并分析了注入不同空间的触发器及其逆向问题，并基于触发器的形式化定义以及从分析中识别的后门模型内在行为，提出了一种统一的逆向框架。我们的原型系统UNICORN在逆向DNN后门触发器方面具有通用性和有效性。代码详见https://github.com/RU-System-Software-and-Security/UNICORN。