Mitigating Backdoor Attack Via Prerequisite Transformation

In recent years, with the successful application of DNN in fields such as NLP and CV, its security has also received widespread attention. (Author) proposed the method of backdoor attack in Badnet. Switch implanted backdoor into the model by poisoning the training samples. The model with backdoor did not exhibit any abnormalities on the normal validation sample set, but in the input with trigger, they were mistakenly classified as the attacker's designated category or randomly classified as a different category from the ground truth, This attack method seriously threatens the normal application of DNN in real life, such as autonomous driving, object detection, etc.This article proposes a new method to combat backdoor attacks. We refer to the features in the area covered by the trigger as trigger features, and the remaining areas as normal features. By introducing prerequisite calculation conditions during the training process, these conditions have little impact on normal features and trigger features, and can complete the training of a standard backdoor model. The model trained under these prerequisite calculation conditions can, In the verification set D'val with the same premise calculation conditions, the performance is consistent with that of the ordinary backdoor model. However, in the verification set Dval without the premise calculation conditions, the verification accuracy decreases very little (7%~12%), while the attack success rate (ASR) decreases from 90% to about 8%.Author call this method Prerequisite Transformation(PT).