Thanks for the reviewer's comments on FMP and ANP.

Firstly, as illustrated in Table 1 in the paper, it is evident that in the majority of experimental results, FMP consistently outperforms ANP. For instance, on average, FMP reduces the ASR from 68.27% to 2.86% in the CIFAR10 dataset. The key reasons for FMP achieving higher performance and the observed differences between FMP and ANP can be simply concluded that FMP focuses on the feature map level, aligning with the backdoor trigger's focus on the DNN feature map, rather than specific neurons within the DNN~(e.g., ANP), where we have added this to our revised paper now.

some other attributes can considered as the following aspects:

1. Feature Map Level Focus:

• FMP: Concentrates on the feature map level, aligning with the backdoor trigger's focus on the DNN feature map, rather than specific neurons within the DNN.
• ANP: During the pruning procedure, ANP may only prune a subset of backdoor-related neurons within the backdoor feature map, potentially leaving some undetected. This results in a higher ASR after the defense procedure.

2. Extraction of Backdoor Trigger Information:

• FMP: Aims to identify the backdoor feature map extractor/learner that captures backdoor trigger information.
• FMP: Utilizes each feature map to ascend the gradient and reproduce learned features. If the reproduced feature map is linked to the backdoor, there is a significant decrease in DNN prediction. Robust feature maps that are less influenced by the backdoor trigger are not pruned during the FMP pruning procedure.

On the other hand: 1. Direct Perturbation of Neuron's Bias and Weights:

• ANP: Directly perturbs the neuron's bias and weights, impacting both normal and backdoor-related neurons.
• ANP: Unlike FMP's focus on input sample perturbation, ANP's direct perturbation can cause neurons with a higher impact on DNN predictions to be represented as backdoor neurons. This may affect the backdoor neuron detector.
• ANP: If ANP attempts to protect these neurons (i.e., does not remove them), some backdoor neurons may also remain, leading to a higher ASR.

In summary, while both FMP and ANP aim to defend against backdoor attacks, FMP's emphasis on the feature map level and the specific way it reproduces learned features contribute to its higher performance compared to ANP in mitigating backdoor attacks, as observed in experimental results.

Q1: When the authors have parametric variables in a table, it should be better to draw these results with figures. Thanks for the reviewer's recommendation, we are now adding the figures to the appendix. Due to page limitations, we will reorganize it in our final version.

Thanks for the reviewer's comments on FMP.

For Q1, in DNN, each layer contains multiple channels, whereas in FMP, we define the feature map as a channel in the neural network layer.

For Q2, first, the correct_list can also represent the accuracy list of the deep neural network for different feature maps attacked by FRG. Next, once FRG is conducted, each feature map may have different accuracy. Our motivation is that in the backdoor model, once the backdoor trigger has been added to the input (the backdoor feature map reproduces the backdoor information with an adversarial attack), the DNN will have lower accuracy compared to attacking other feature maps. Then, we will ArgSort the correct_list and obtain the N/p feature maps that have lower accuracy on the left N/p (that's why we use ascending order).

For Q3 and Q4, all feature maps are fine-tuned (but only backdoor feature maps will be initially set to zero). To address the reviewer's concern about the training strategies, we evaluatedte how the initialization and tuning methods affect FMP's effectiveness in the table below:

Table 1: Performance comparison (%) of backdoor defense methods on CIFAR10, CIFAR100, and GTSRB datasets under PreActResNet18, under different attack strategies with a poison rate of 10% and retraining data ratio of 100%. We set the $\epsilon$ to 1/255, and the $p$ is set to 64.

Answer to Q5: Thanks for reviewer's concern for the $\epsilon$ and $p$ under other attacks. To address reviewer's concern, we conduct experiment for LowFrequency and WaNet with different $\epsilon$ and $p$ in the following tables:

Table 1: FMP's effectiveness under different $\epsilon$ in CIFAR10 dataset under Low Frequency attack.

Table 2: FMP's effectiveness under different $p$ in CIFAR10 dataset under Low Frequency attack.

Table 3: FMP's effectiveness under different $\epsilon$ in CIFAR10 dataset under WaNet attack.

Table 4: FMP's effectiveness under different $p$ in CIFAR10 dataset under WaNet attack.

We canfind that in different $\epsilon$ and $p$ configuration, FMP has same behaviors in BadNets. Hope these experiments can address reviewer's concern for the affect of hyper-parameters in our experiments.

Notes: we will address all minor comments in our final version. For the provided related works, we will also add it in our final version.

Dear Reviewer gATw,

we have add all experiment required by you, e.g., comparison with other adversarial-related baselines and compasiron with other SOTA defense strategies, in our paper's appendix.

In summary, the primary reason for this is FMP's focus on the feature map level, which aligns with the backdoor trigger's emphasis on the DNN feature map, rather than on specific neurons within the DNN (e.g., as in ANP).

Secondly, the pruning at the feature map level enables FMP to rapidly eliminate the backdoor trigger from the model. In contrast, neuron-level pruning typically requires significant overhead due to the need for repeated prune-finetune-evaluation cycles. FMP is particularly advantageous in scenarios with limited computational resources, where developers may not have the capacity to extensively evaluate and remove backdoors from the model. This limitation results in strategies like ANP, AEVA, and RNP exhibiting higher ASR compared to FMP in our setup.

We highly hope Reviewer gATw can consider our experiment results and if Reviewer gATw has any question for our paper, feel free to point out and we will try to address it quickly.

We deeply appreciate the feedback from Reviewer W4kG on our paper.

We have revised the paper for the comments provided by Reviewer W4kG.

Specifically:

For Q1: Thank you for pointing out the confusing descriptions in our paper. Specifically, both $F_{\theta}^{i}$ and $f_{\theta}^{i}$ refer to the i-th feature map in the DNN. We will replace $F_{\theta}^{i}$ to $f_{\theta}^{i}$ and clarify this in our final version.

For Q2: Regarding the returned FRG-generated adversarial sample $x'$, Reviewer W4kG can also consider it as $\hat{x'}$, consistent with $\hat{y}$ in Algorithm 1, line 8. We acknowledge the confusion caused by using $x$ in Algorithm 1, line 7. To avoid misunderstanding, the our revised version, we use the $x'$, $y'$ to replace Algorithm 1, lines 7 and 8 now.

For Q3: Normal feature maps will not be pruned. To clarify, "If a feature map does not change the classification of 'x,' is it a normal feature map and should be retained?" is accurate. In other words, robust/normal feature maps will not be pruned, meaning we will only prune feature maps with lower accuracy in the Correct_List. This is why we use ascending order and then prune the left N/p feature maps.

We also acknowledge Reviewer W4kG's suggestion to conduct experiments on a more complex dataset, such as ImageNet. Unfortunately, due to the extended training time required for ImageNet, we can only provide experimental results on Tiny-ImageNet now. However, we commit to presenting results on ImageNet in our final version.

The experiment results are presented below:

It's noteworthy that FMT performs better than baseline approaches. For instance, in BadNet, FMT reduces the ASR from 1.39% to 0.08%.

If Reviewer W4kG has any questions, feel free to provide them, and we would be more than happy to address and clarify any queries or concerns.