A. Backdoor Attacks

Most backdoor attacks target deep neural network (DNN) models. A DNN model can be represented as a parameterized function ${f_\Theta }:\mathcal{X} \to \mathcal{Y}$ that maps an input $x \in \mathcal{X}$ to a probability vector over a group of class labels $\mathcal{Y}$. Θ is the set of parameters. The optimal parameters Θ are determined through training on a dataset ${D_{train}} = \left\{ {{x_i},{y_i}} \right\}_{i = 1}^n$ with n data samples. For x_i in the training dataset, the ground-truth label is y_i. The training process minimizes the loss function $\mathcal{L}$ by stochastic gradient descent (SGD): \begin{equation*}\mathop {\min }\limits_\Theta \frac{1}{n}\sum\limits_{i = 1}^n {\mathcal{L}\left( {{f_\Theta }\left( {{x_i}} \right),{y_i}} \right).} \tag{1}\end{equation*}View Source\begin{equation*}\mathop {\min }\limits_\Theta \frac{1}{n}\sum\limits_{i = 1}^n {\mathcal{L}\left( {{f_\Theta }\left( {{x_i}} \right),{y_i}} \right).} \tag{1}\end{equation*}

Albeit its good performance, training a sophisticated DNN model usually requires prohibitive time and money investments. For example, GPT-3 has more than 175 billion parameters and requires 3.14 × 10²³ flops, i.e., 355 GPU-years for a Tesla V100, the fastest GPUs on the market [3]. Furthermore, collecting large-scales of high-quality training samples is also cumbersome. For example, the accumulation of ImageNet dataset [10] for object recognition and classification took several years. Expert knowledge is also needed to decide the appropriate model structures and hyperparameters. These challenges incentivize source-limited users to outsource the model training procedure to the cloud server (e.g., Google, Amazon, and Microsoft) or directly download pre-trained models from online model zoos (e.g., Caffe Model Zoo²). However, in these cases, an adversary may manipulate the training process and provide a backdoored model to the user.

Backdoor attack (a.k.a trojan attack) is a form of training-phase attack where the attacker maneuvers the training dataset or the model training process [8], [19], [40]. The backdoored (trojaned) model behaves normally on benign samples but misclassifies all the samples stamped with the backdoor triggers to the target false label (targeted attack) or any false label (untargeted attack). The triggers may be model-dependent [18], [40], [61] or model-independent [7], [19], [27], [33], [36], visible [7], [18], [19], [27], [40], [44], [52], [59] or invisible [31], [35], [45], [51]. Apart from the centralized learning scenario, backdoor attacks can also be launched in the federated learning scenario [1], [38], [43], [60], [64].

B. Backdoor Defenses

C. Knowledge and Attention Distillation

Knowledge distillation (KD) was proposed to transfer the knowledge from a large teacher network to a small student network [21], [42], [46]. The student network imitates the intermediate and the deep layers of the teacher network. Knowledge distillation was first proposed by Hinton [21], which minimizes the Kullback–Leibler (KL) divergence between the probability vectors of the student model and the teacher model. \begin{equation*}{\theta _s} = {\arg _{\theta \in {\theta _s}}}\min {{\text{E}}_{x \in X}}\left[ {KL\left( {F_s^h\left( x \right),F_t^h\left( x \right)} \right)} \right],\tag{2}\end{equation*}View Source\begin{equation*}{\theta _s} = {\arg _{\theta \in {\theta _s}}}\min {{\text{E}}_{x \in X}}\left[ {KL\left( {F_s^h\left( x \right),F_t^h\left( x \right)} \right)} \right],\tag{2}\end{equation*} where F_s(·) is the student model, F_t(·) is the teacher model, θ_s is the parameters of the student model, and h is the temperature constant.

Recent works have applied the attention mechanism in knowledge distillation to supervise the training of the student model [28], [54]. The attention mechanism guides the student network to learn more high-quality intermediate representations, thus improving the distillation effect [28], [50]. A widely-used attention distillation scheme is proposed in [28], which includes two kinds of attention distillation: activation-based attention distillation and gradient-based attention distillation, each of which guides the student model to learn the attention map of the teacher model. More recently, Hou et al. [22] proposed a self-attention distillation mechanism where the student learns from itself, thus getting rid of the teacher model. The attention distillation is performed layer-wise and top-down in the model where the attention knowledge is propagated layer by layer from the shallow layers to intermediate layers and finally to deep layers. In this paper, we leverage self-attention distillation to erase the backdoor from a target model.

Defender

Following the threat models of existing purification defenses [32], [37], we assume that the defender obtains a trained model from an untrusted third party. The defender has a small set of clean samples to help validate the model. Note that this dataset is much smaller than the original training dataset used for training the model. The goal of the defender is to erase the backdoor from the received model while maintaining the model prediction accuracy on benign samples.

Attacker

We consider a powerful attacker. The attacker provides the trained model to the defender. The attacker has all the internal information of the model and its training dataset. The attacker can manipulate the model in any way to generate a backdoored model. The trigger can be in any shape, location, and size. The backdoor attack can be a traditional backdoor or an adaptive backdoor attack.

A. Design Rationale

Explanatory studies on neural networks have shown that shallow layers mainly extract macro features (global structural information) while intermediate and deep layers mainly extract micro features (fine-grained details) [28]. To ensure concealment, the triggers are usually designed as micro perturbations³ that have little effect on the global structure of the sample, thus affecting mostly deep layers but not shallow layers. Neural attention transfer (NAD) fine-tunes a teacher model from the backdoored student model, thus the teacher model potentially has good shallow layers but bad deep layers (maybe slightly better than the deep layers of the student model). NAD makes the good shallow layers of the student model learn from the good shallow layers of the teacher model, and the bad deep layers of the student model learn from the bad deep layers of the teacher model. In this way, the deep layers of the teacher model cannot effectively correct the deep layers of the student model. In contrast, we adopt self-attention distillation (SAD), which makes the bad deep layers learn from the good shallow layers through attention map alignment of the model itself such that the deep layers are potentially corrected.

To fulfill the design goals, SAGE performs three key steps, i.e., attention representation, loss calculation, and learning rate update, as shown in Fig. 1. In the attention representation module, we distill the attention of each neuron based on its contribution to the prediction results. In the loss calculation module, we rectify the weights of deep layers according to the attention knowledge of shallow layers while maintaining the model prediction accuracy. In the learning rate update module, rather than using the existing adaptation method (divide the learning rate by 10 every 2 epochs [32]), we design a novel learning rate adaptation strategy that carefully tracks the prediction accuracy of clean samples to guide the learning rate adjustment.

B. Attention Representation

Attention representation is critical for the success of correcting backdoors as we want to distill the essential attention knowledge to guide the self-purification process.

Given a backdoored model F_B, the activation tensor at the l-th layer is denoted as $F_B^l \in {R^{{C_l} \times {H_l} \times {W_l}}}$, where C_l, H_l, and W_l represent the channel dimension, height, and width of the attention map at the l-th layer, respectively. The attention representation is equal to seeking a mapping function $\mathcal{G}:{R^{{C_l} \times {H_l} \times {W_l}}} \to {R^{{H_l} \times {W_l}}}$. In the map, the absolute value of each element denotes its contribution to the final classification results. We build the mapping function $\mathcal{G}$ by computing statistics of these values across all channels. As suggested in [22], [32], the mapping function may adopt one of the following four forms. \begin{equation*}\begin{array}{r} {\mathcal{G}_{sum}}\left( {F_B^l} \right) = \sum\limits_{i = 1}^{{C_l}} {\left| {{F_B}_i^l} \right|}, \\ \mathcal{G}_{sum}^p\left( {F_B^l} \right) = \sum\limits_{i = 1}^{{C_l}} {{{\left| {{F_B}_i^l} \right|}^p}}, \\ \mathcal{G}_{max}^p\left( {F_B^l} \right) = \mathop {\max }\limits_{i = 1,{C_l}} {\left| {{F_B}_i^l} \right|^p}, \\ \mathcal{G}_{mean}^p\left( {F_B^l} \right) = \frac{1}{C}\sum\limits_{i = 1}^{{C_l}} {{{\left| {{F_B}_i^l} \right|}^p}} \end{array} \tag{3}\end{equation*}View Source\begin{equation*}\begin{array}{r} {\mathcal{G}_{sum}}\left( {F_B^l} \right) = \sum\limits_{i = 1}^{{C_l}} {\left| {{F_B}_i^l} \right|}, \\ \mathcal{G}_{sum}^p\left( {F_B^l} \right) = \sum\limits_{i = 1}^{{C_l}} {{{\left| {{F_B}_i^l} \right|}^p}}, \\ \mathcal{G}_{max}^p\left( {F_B^l} \right) = \mathop {\max }\limits_{i = 1,{C_l}} {\left| {{F_B}_i^l} \right|^p}, \\ \mathcal{G}_{mean}^p\left( {F_B^l} \right) = \frac{1}{C}\sum\limits_{i = 1}^{{C_l}} {{{\left| {{F_B}_i^l} \right|}^p}} \end{array} \tag{3}\end{equation*} where ${F_B}_i^l$ is the i-th slice of $F_B^l$ at the l-th layer, and p > 1 is a constant parameter.

$\mathcal{G}_{sum}^p$ is an upgraded version of ${\mathcal{G}_{sum}}$ that amplifies the weights with higher activations. With a larger p, higher weights are given to areas with higher activations. Different from $\mathcal{G}_{max}^p$ that only selects the maximum neuron activations as the weight, $\mathcal{G}_{sum}^p$ and $\mathcal{G}_{mean}^p$ considers the weights of all areas. Therefore, we adopt $\mathcal{G}_{sum}^p\left( {p \geq 1} \right)$ and $\mathcal{G}_{mean}^p\left( {p \geq 1} \right)$. Moreover, we investigate which mapping function achieves the best defensive performance in evaluations.

C. Loss Calculation

The distilled attention knowledge is used to guide the purification of the model. Unlike traditional attention distillation performed across the teacher model and the student model [28], our proposed self-attention distillation (SAD) is conducted within a single model through a top-down and layer-wise way. The key idea is to utilize the attention maps of shallow layers as a form of supervision for those of deep layers. The self-attention distillation loss ${\mathcal{L}_{SAD}}$ is denoted as \begin{equation*}\begin{array}{r} {\mathcal{L}_{SAD}}\left( {F_B^i,F_B^j} \right) = {\mathcal{L}_d}\left( {\psi \left( {F_B^i} \right),\psi \left( {F_B^j} \right)} \right), \\ {\text{s}}.{\text{t}}.\quad {\mathcal{L}_d}\left( {{\psi _1},{\psi _2}} \right) = {\left\| {{\psi _1} - {\psi _2}} \right\|_2}, \\ \psi ( \cdot ) = N(U(G( \cdot ))),N\left( {F_B^l} \right) = \frac{{F_B^l}}{{{{\left\| {F_B^l} \right\|}_2}}}, \end{array} \tag{4}\end{equation*}View Source\begin{equation*}\begin{array}{r} {\mathcal{L}_{SAD}}\left( {F_B^i,F_B^j} \right) = {\mathcal{L}_d}\left( {\psi \left( {F_B^i} \right),\psi \left( {F_B^j} \right)} \right), \\ {\text{s}}.{\text{t}}.\quad {\mathcal{L}_d}\left( {{\psi _1},{\psi _2}} \right) = {\left\| {{\psi _1} - {\psi _2}} \right\|_2}, \\ \psi ( \cdot ) = N(U(G( \cdot ))),N\left( {F_B^l} \right) = \frac{{F_B^l}}{{{{\left\| {F_B^l} \right\|}_2}}}, \end{array} \tag{4}\end{equation*} where G(·) is used to extract feature representations, and U represents the bilinear upsampling operation that unifies the attention representations of the shallow layers and the deep layers into the same size, ψ₁ and ψ₂ represent normalized vectors of the attention maps generated at two different layers, ${\mathcal{L}_d}( \cdot )$ represents the distance between two attention maps, and we use L₂-norm to calculate the distance. Instead of the softmax function [22], we apply the normalization function N(·) on the mapping function. The normalization operation is essential for our SAD since SAD performs attention map alignment across shadow layers and deep layers, but the attention maps of the shadow layers and the deep layers have divergent absolute values. Without normalization, the attention map alignment of the shadow layers and the deep layers will induce distortions that may degrade prediction accuracy on clean samples.

Using only the SAD loss ${\mathcal{L}_{SAD}}$ during retraining will greatly reduce the prediction accuracy of clean samples. This is because self-attention distillation merely aims to minimize the differences between the attention maps of different layers, regardless of whether the aligned attention maps conform to correct prediction results or not. To address this problem, we add cross entropy (CE) loss ${\mathcal{L}_{CE}}$ to guarantee the precision of prediction results for clean samples.

\begin{equation*} \mathcal{L} = {\mathcal{L}_{CE}}\left( {{{\hat y}^{(t)}},{y^{(t)}}} \right) + \sum\limits_{ < {i_k},{i_j} > \in paths} {{\beta _k}{\mathcal{L}_{SAD}}\left( {F_B^{{i_k}},F_B^{{j_k}}} \right)} ,\tag{5}\end{equation*}View Source\begin{equation*} \mathcal{L} = {\mathcal{L}_{CE}}\left( {{{\hat y}^{(t)}},{y^{(t)}}} \right) + \sum\limits_{ < {i_k},{i_j} > \in paths} {{\beta _k}{\mathcal{L}_{SAD}}\left( {F_B^{{i_k}},F_B^{{j_k}}} \right)} ,\tag{5}\end{equation*} where ${\mathcal{L}_{CE}}$ measures the prediction accuracy of the purified model on clean samples, and β_k is a hyperparameter that balances self-attention distillation and prediction accuracy preservation. We will later evaluate the impact of β_k on the performance of SAGE.

Algorithm 1 Algorithm of self-attention distillation process

The SAD loss is computed on each pair of layers in the model (referred to as path). For instance, given a 4-layer model, the SAD loss is computed between each pair of adjacent layers, i.e., paths = {< 1, 2 >, < 2, 3 >, < 3, 4 >}. Note that extra paths may be added, e.g., {< 1, 3 >}, {< 2, 4 >}, and {< 1, 4 >}. The number of possible paths in an l-layer model is as high as $\frac{{l(l - 1)}}{2}$. We will explore which SAD paths yield the best defensive performance in evaluations.

D. Learning Rate Update

Learning rate is a key configurable hyperparameter in optimization algorithms. Learning rate usually takes a small positive real value ranging from 0 to 1. It controls the step size of each iteration to guarantee steady convergence to the minimum of the loss function. Setting a proper learning rate is non-trivial. A large learning rate induces significant weight modifications in each iteration, leading to unstable performance oscillation during training. A small learning rate results in slow convergence and may be trapped in local optimum [4].

Traditional attention distillation strategies either used a fixed learning rate [22] or adjusted the learning rate heuristically (e.g., divided the learning rate by 10 every 2 epochs) [32]. As SAGE tries to achieve the goals of backdoor removal and prediction accuracy preservation simultaneously, the learning rate plays an important role in controlling the distillation process. Therefore, we propose a new strategy that carefully tracks the prediction accuracy of clean samples to guide the learning rate adjustment.

We designate two conditions for the learning rate to be reduced. The first condition C1 is that the loss on the clean data does not drop for a certain number of epochs during an interval. The second condition C2 is that the maximum loss on the clean data does not drop (remains the same) during an interval. In one of the above cases, we divide the learning rate by 2 as the distillation process needs to be curbed to restrict the degradation of prediction accuracy of clean data.

Let P denote the number of epochs in an interval. At the j-th interval, i.e., the jP -th epoch, if the following conditions are satisfied, the learning rate η will be adjusted; otherwise, the learning rate stays unchanged. \begin{equation*} {\begin{cases} {{\mathbf{C1}}:\sum\nolimits_{k = (j - 1)P}^{jP - 1} {1\!\!\!\!{\text l}\left( {{\mathcal{L}^{(k + 1)}} < {\mathcal{L}^{(k)}}} \right) < \rho \cdot P,} } \\ {{\mathbf{C2}}:{\eta ^{(j - 1)P}} \equiv {\eta ^{jP}}{\text{and}}\,\mathcal{L}_{max}^{jP} \geq \mathcal{L}_{max}^{(j - 1)P},} \end{cases}} \tag{6}\end{equation*}View Source\begin{equation*} {\begin{cases} {{\mathbf{C1}}:\sum\nolimits_{k = (j - 1)P}^{jP - 1} {1\!\!\!\!{\text l}\left( {{\mathcal{L}^{(k + 1)}} < {\mathcal{L}^{(k)}}} \right) < \rho \cdot P,} } \\ {{\mathbf{C2}}:{\eta ^{(j - 1)P}} \equiv {\eta ^{jP}}{\text{and}}\,\mathcal{L}_{max}^{jP} \geq \mathcal{L}_{max}^{(j - 1)P},} \end{cases}} \tag{6}\end{equation*} where ρ is a constant that controls the degree of learning rate adjustment, which is set as 0.5 in our experiments. $1\!\!\!\!{\text l}$ is the indicator function. Condition C1 checks whether the number of epochs that the loss on clean data drops in an interval is lower than a threshold. In this condition, it is considered that the learning rate needs to be reduced to facilitate the learning of benign features from clean data. Condition C2 checks whether the maximum loss on clean data remains the same or increases during training and the learning rate has not changed in two adjacent checkpoints. In this condition, it is considered that the learning rate needs to be changed to prevent performance oscillation. Note that the learning rate will not change if the clean data accuracy increases or stays unchanged, thus SAGE will not deteriorate the clean data accuracy.

The overall algorithm of SAGE is summarized in Algorithm 1.

TABLE II Impact of normalization function. The clean data size is set as 5%.

A. Experimental Setup

Evaluation metrics

To evaluate the defense performance, we employ both attack success rate (ASR) and model prediction accuracy (MPA) in the experiments. Attack success rate (ASR) is calculated as the percentage of backdoored samples that are misclassified by the target model to the targeted false label⁵. Model prediction accuracy (MPA) is calculated as the ratio of accurately labeled benign samples in the test dataset, which does not intersect with the clean data used by SAGE.

TABLE III Impact of learning rate adjustment algorithm. The clean data size is set as 5%.

Backdoor attack/defense methods

We apply SAGE and baseline defenses to eight state-of-the-art backdoor attacks, i.e., BadNets [19], TrojanNN [40], HB [51], RobNet [18], WaNet [45], Ingrain [16], ISSBA [34], and ATTEQ-NN [17]. Besides, we compare SAGE with six state-of-the-art backdoor model purification methods, i.e., fine-tuning, pruning, fine-pruning [37], NAD [32], MCR [69], and ANP [62]. We implement the baselines using their original source codes and ensure convergence with enough epochs.

More details of the datasets, model structures, and setup about these backdoor attacks and defenses are described in the Appendix. All experiments are implemented in Python and run on a 14 core Intel(R) Xeon(R) Gold 5117 CPU @2.00GHz and NVIDIA GeForce RTX 2080 Ti GPU machine running Ubuntu 18.04 system.

If the model consists of blocks instead of layers, we treat blocks as layers to compute attention maps and SAD loss. In particular, a block is a repetitive integrated structure composed of multiple layers in a model, such as the inception block in Inception-v3 [55] and the building block in ResNet [20]. For simple models without blocks such as LeNet [30], experiments show that applying SAGE directly on convolutional layers is enough to achieve the defense goal.

TABLE IV Impact of attention functions on the defense performance of SAGE. The clean data size is set as 5%.

B. Comparison with Baseline Defenses

We compare the defense performance of SAGE with the above-mentioned six state-of-the-art backdoor model purification methods⁶. We apply these defenses to the above-mentioned eight state-of-the-art backdoor attacks. We perform these attacks and baseline defenses based on the original settings of their open-source codes. We set the threshold of model pruning as 5%, i.e., once the decrease of prediction accuracy of clean samples is larger than or equal to 5%, the pruning operation will be terminated. Since fine-pruning is the combination of model pruning (first step) and fine-tuning (second step), we use the same pruning rate for model pruning and fine-pruning. Note that since HB [51], ISSBA [34], and ANP [62] are only applicable for three-channel datasets, we only evaluate these attack/defense strategies on CIFAR-10, CIAFR-100, and ImageNette. The comparison results are shown in Fig. 4-​7 (appendix). Clean data denotes the ratio of data samples used by the defense methods to the training data samples [32], [37].

After applying SAGE and baseline defenses, we can see that the purified models of SAGE achieve the lowest attack success rates for all datasets in most cases. Given a clean dataset size as 1%, take CIFAR-10 as an example, SAGE brings the ASR from 81.52% down to 10.11% (BadNets), from 99.64% down to 19.42% (TrojanNN), from 98.85% down to 10.83% (RobNet), from 97.25% down to 6.79% (WaNet), from 73.20% down to 29.83% (HB), from 100% down to 65.12% (Ingrain), from 90.77% down to 8.06% (ISSBA), and from 100.0% down to 0.00% (ATTEQ-NN) respectively, while the lowest ASR of purified models of baseline defenses is still as high as 10.20% (BadNets), 38.21% (TrojanNN), 74.47% (RobNet), 29.84% (HB), 8.96% (WaNet), 70.76% (Ingrain), 8.11% (ISSBA), and 100.0% (ATTEQ-NN). For the high-resolution dataset ImageNette (5% clean dataset size), SAGE can significantly reduce the average ASR of the eight state-of-the-art backdoor attacks to 18.87%, while fine-tuning, model pruning, fine-pruning, NAD, MCR, and ANP can only reduce the average ASR to 58.53%, 68.29%, 49.78%, 36.01%, 56.13%, and 60.26%, respectively. Although MCR can reduce the ASR of BadNets and TrojanNN more than that of SAGE in some cases of ImageNette, its MPA is much lower than SAGE (≥ 8%).

In terms of MPA, it is shown that all model-purification defenses (including SAGE) have a negative effect on MPA, but the drops of SAGE are less than 3% in almost all cases. The reason is that SAGE adapts the self-attention distillation with normalization and a dynamic learning rate adjustment strategy. Ablation studies have verified that these two strategies can significantly improve prediction accuracy. In some cases, SAGE can even improve the prediction accuracy of backdoored models higher than benign ones. In comparison, other baseline defenses either fail to maintain high prediction accuracy or fail to effectively reduce the attack success rate of advanced backdoor attacks (RobNet, Ingrain, ISSBA, and ATTEQ-NN).

TABLE V Impact of distillation path. The weight parameters are fixed as (300, 300, 300). Since MNIST model is too simple (has 2 convolutional layers), we only evaluate the CIFAR-10, CIFAR-100, and ImageNette datasets. The clean data size is set as 5%.

TABLE VI Backdoor detection of sage-purified models by NC. The detection threshold is set as 2.0, over which the model is deemed as backdoored.

TABLE VII Computational costs of SAGE and baseline defenses in purifying TrojanNN backdoored model (in seconds). FT: Fine-tuning. FP: Fine-pruning.

To further investigate whether SAGE successfully cleanses the backdoor, we use NC [59] to detect the backdoored model purified by SAGE. The threshold of MAD (Median Absolute Deviation) in NC for anomaly detection is set as 2.0, over which the model is deemed as a backdoored model. As shown in Table VI, the MAD values of all purified models by SAGE are below 2.0, meaning that the model is not considered as being backdoored by NC. The results verify the effectiveness of SAGE in backdoor purification.

We apply SAGE to the benign models of the four datasets. The purified models have an accuracy of 98.75% (MNIST), 91.18% (CIFAR-10), 78.32% (CIFAR-100), and 85.95% (ImageNette), respectively. The maximum accuracy drop is less than 0.7%. The results show that SAGE hardly affects the prediction accuracy of benign models.

C. Computational Costs

To assess the efficiency of SAGE, we compare the computational costs of SAGE with baselines in Table VII. Compared with other defenses, NAD and SAGE have higher computational costs mainly due to the time-consuming distillation process. SAGE has a lower computational cost than NAD since NAD needs to train a teacher model. Overall, SAGE has the best purification performance with reasonable computational costs.

D. Ablation Study

Impact of dynamic learning rate update

We propose a more sophisticated strategy that carefully tracks the prediction accuracy of clean samples to guide the learning rate adjustment. To explore the effectiveness of our dynamic adjustment strategy, we compare the defense performance of SAGE when using a fixed learning rate (0.01), simple learning rate adjustment (divide the learning rate by 10 every 2 epochs [32]), and our proposed dynamic learning rate update. The comparison results are shown in Table III and Table XXI (appendix). We can see that our dynamic learning rate update can not only improve the defense effectiveness but also improve the prediction accuracy on clean samples. Moreover, the dynamic learning rate update of SAGE is less likely to be trapped in local suboptimal results than the simple learning rate adaptation method of NAD.

TABLE VIII Impact of weight parameters. The distillation path is paths = {< i, i + 1 >}. Since the MNIST model is too simple (has 2 convolutional layers), we only evaluate the CIFAR-10, CIFAR-100, and ImageNette. The clean data size is set as 5%.

Fig. 2.

Attention maps of different layers in the purified model of SAGE, compared with those in benign models, backdoored models, and purified models of NAD.

Show All

E. Attention Maps

To corroborate our design rationale that SAGE is able to purify the backdoor in the deep layers of the model with the help of the shallow layers, we plot attention maps [32], [49] of different layers in the purified model of SAGE, compared with those in benign models, backdoored models, and purified models by the baseline NAD. The attention map of a specific layer given a certain input illustrates the focal area of the layer on the input, which contributes to the final prediction result.

TABLE IX Impact of trigger shape on SAGE.

TABLE X Impact of trigger size on SAGE.

Due to page limitations, we only discuss some of the advanced attacks that can evade NAD defense. Since the trigger of ISSBA is global, we did not specifically mark the trigger. As shown in Fig. 2, the focal areas in the shallow layers of the backdoored model are similar to those of the benign model (both on the right area), while the focal areas in the deep layers of the backdoored model are different from those of the benign model (the former on the trigger area). SAGE-purified models can correct the focal areas to be close to those of benign models. In contrast, for malicious samples of advanced backdoor attacks, NAD-purified models cannot re-align the focal areas of deep layers to those of benign models. Thus, NAD cannot successfully purify backdoors from these backdoored models, and the attack success rate of these purified models can still reach more than 30%. These observations confirm our design intuition.

TABLE XI Apply SAGE on class-specific trigger attacks.

A. Multi-trigger Same-Label Attacks

This backdoor attack variant considers that the attacker may inject multiple distinctive triggers into the target model, aiming to force the backdoored model to misclassify any input sample attached with any one or combinations of these triggers to the same target false label.

To evaluate whether SAGE is still effective in erasing the backdoor from such attacks, we apply SAGE to the multi-trigger same-label attack of RobNet [18]. The attacker is assumed to inject 1, 3, and 5 triggers to the target model, and we follow the settings in RobNet [18] to generate these triggers. Note that the target label is labeled 3 for all datasets. As shown in Table XIII (appendix), we can see that SAGE is robust to multi-trigger same-label attacks for all datasets. After purification, the attack success rate of all attacks significantly drops, while the clean data accuracy of the model hardly changes.

B. Multi-trigger Multi-label Attacks

In multi-trigger multi-label attacks, the attacker also injects multiple different triggers to the target model, but each trigger leads to misclassification of a different target label.

To evaluate whether SAGE is effective in such cases, we apply SAGE to the multi-trigger multi-label attack of RobNet [18]. The attacker is assumed to inject 1, 3, and 5 triggers to the target model, and we follow the settings in RobNet [18] to generate these triggers. The target label of the single-trigger attack is label 3. The target labels of the 3-trigger attack are labels 3, 4, and 5, respectively. The target labels of the 5-trigger attack are labels 3, 4, 5, 6, and 7, respectively. As shown in Table XVI (appendix), we can see that SAGE is also robust to multi-trigger multi-label attacks.

TABLE XII Performance of SAGE against adaptive backdoor attacks.

C. Large Trigger Attacks

To explore the impact of trigger size, we vary the trigger size of TrojanNN [40] from 3 × 3 to 20 × 20 for MNIST, CIFAR-10, and CIFAR-100. For the high-resolution dataset ImageNette (224×224), we vary the trigger size of TrojanNN [40] from 32 × 32 to 128 × 128. For all the datasets, the poisoning rate is set as 10%, the transparency value is 0.5, and the trigger shape is square.

As shown in Table X, for low-resolution datasets (32 × 32), SAGE can also effectively reduce the attack success rate to less than 22% even if the trigger size is as large as 20 × 20. In terms of the high-resolution dataset ImageNette, we can see that even with a trigger size of 128 × 128, SAGE is still effective in reducing the ASR of the backdoored model to 27.15%.

D. Transparent Trigger Attacks

Most of the existing backdoor attacks [7], [18], [19] set the trigger transparency as 0%, i.e., the trigger is opaque. Although such a setting can enhance the attack success rate, the obvious trigger may also attract attention from the defenders. A more transparent trigger will improve the concealment of the attack.

We test SAGE under ten different trigger transparency values of TrojanNN [40], i.e., 0∼0.9 at an interval of 0.1. Note that a high transparency value (more transparent) will reduce the attack success rate. As shown in Table XVIII (appendix), as the transparency value increases, the attack success rate of backdoor attacks will decrease, i.e., the backdoored model is closer to the clean model. Even in such cases, we find that SAGE can further decrease the attack success rate to an even lower level. Interestingly, SAGE can improve the model prediction accuracy in some cases. For instance, when the transparency value is 0.9 (CIFAR-100), the ASR and MPA of TrojanNN are 13.45% and 65.40%, respectively. After applying SAGE on the backdoored model, the ASR falls to only 1.64%, while the MPA goes up to 69.37%.

E. Class-Specific Trigger Attacks

The traditional backdoor attacks are class-agnostic [19], [40], [61], i.e., the effect of the backdoor trigger is independent of the source classes. The backdoored model can misclassify samples from any label attached with the backdoor trigger to the target false label. The attack is dominantly determined by the backdoor trigger. Unlike class-agnostic attacks, in class-specific attacks, the backdoor trigger only works on the samples of a specific class. The backdoored model can only misclassify samples from the specific class attached with the trigger to the target label. In this case, the attack is determined by both the backdoor trigger and the specific class. Recent studies [56] have shown that most of the existing defenses are ineffective for class-specific backdoor attacks.

Fig. 3.

Attention maps of the original Ingrain and the adaptive Ingrain attacks before and after SAGE purification.

Show All

As shown in Table XI, SAGE can effectively reduce the ASR of class-specific trigger attacks to less than 10%. Take ImageNette as an example. After applying SAGE, the ASR of the backdoored model decreases from 91.14% to 1.01%, which demonstrates the defense efficacy of SAGE.