A Subspace Projective Clustering Approach for Backdoor Attack Detection and Mitigation in Deep Neural Networks

Yue Wang, Wenqing Li, Esha Sarkar, Muhammad Shafique, Michail Maniatakos, Saif Eddin Jabari

Research output: Contribution to journalArticlepeer-review

Abstract

Backdoor attacks in deep neural networks (DNNs) involve an attacker inserting a backdoor into the network by manipulating the training dataset, which causes misclassification of inputs that contain a specific trigger. Detecting and mitigating such attacks are challenging, as only the attacker knows the trigger and target class. Our study demonstrates that the representations, i.e., the neuron activations for a given DNN, of poisoned and genuine data lie in different subspaces, which implies that there exists a certain subspace where the difference of projections from different data can be manifested. To this end, we propose a method based on subspace projective clustering (SPC), which learns a subspace as well as a projection-based weight vector by solving a projection maximization program, and the optimized weight vector can be utilized in a clustering framework to infer the group of data. Based on our theoretical analysis and experimental results, we demonstrate the effectiveness of our method in defending against backdoor attacks that use different settings of poisoned samples on GTSRB, Imagenet, VGGFace2, and PubFig datasets in comparison with the state-of-the-art methods. Our algorithm can detect more than 90% of the infected classes and identify 95% of the poisoned samples.

Original languageEnglish (US)
Pages (from-to)3497-3509
Number of pages13
JournalIEEE Transactions on Artificial Intelligence
Volume5
Issue number7
DOIs
StatePublished - 2024

Keywords

  • Backdoor attacks
  • backdoor defense
  • deep neural networks (DNNs)
  • machine learning security
  • optimization

ASJC Scopus subject areas

  • Computer Science Applications
  • Artificial Intelligence

Fingerprint

Dive into the research topics of 'A Subspace Projective Clustering Approach for Backdoor Attack Detection and Mitigation in Deep Neural Networks'. Together they form a unique fingerprint.

Cite this