Deferred Backdoor Functionality Attacks on Deep Learning Models

We thank the reviewer for their constructive feedback.

Q: The paper limits its generalizability only on vision domain.

A: We agree that this is a limitation of our current work. While we demonstrate DeferBad's effectiveness in the vision domain, exploring similar concepts in NLP and speech domains would be valuable future research directions. Different modalities might present unique challenges and opportunities for deferred backdoor attacks.

.

Q: The paper lacks a rigorous theoretical explanation for why fine-tuning effectively reactivates the dormant backdoor.

A: Thank you for this insightful question. We have added a detailed explanation in Appendix C about the concealment mechanism. During concealment, selective layer updates force these layers to learn parameters that actively counteract the backdoor behavior present in other layers. This creates an unstable state because:

1. The updated layers must maintain specific parameter values to cancel out the backdoor signals from other layers
2. These canceling parameters are not a natural solution for the model's primary task, but rather a forced state
3. Any small perturbation to these parameters during fine-tuning will disrupt this artificial balance This empirically observed mechanism explains why fine-tuning, which naturally seeks more stable solutions for the primary task, tends to break this delicate balance and allows the backdoor functionality to re-emerge.

.

Q: The paper does not discuss or propose potential defense mechanisms against DBFA.

A: Thank you for raising this important point. We have added a discussion about defense mechanisms in the paper (see Appendix C for details). We believe that awareness of this type of attack combined with applying existing defense methods after fine-tuning would be sufficient for detection. Since the backdoor becomes active and exhibits typical backdoor behavior after fine-tuning, standard defense mechanisms can effectively detect it at this stage.

.

Q: Limited discussion on why differences occur in attack success rates based on the number of layers fine-tuned.

A: We have added more detailed analysis about this phenomenon in the paper (see Section 5.2 for details). For models with batch normalization (e.g., ResNet18), even minimal layer updates provide sufficient conditions for reactivation, while updating more layers can interfere with this process. For models without batch normalization (e.g., VGG16), ASR is highest when fine-tuning focuses on the last few layers where reactivation-related features are concentrated, with additional layer updates potentially disrupting these patterns.

Thank you for the authors' replying. After reading the rebuttal, I decide to reduce my scores to reject.

We thank the reviewer for their detailed and constructive feedback.

Q: How does DeferBad compare against existing camouflage backdoor approaches in recent literature?

A: Thank you for bringing this to our attention. We greatly appreciate your suggestions about recent camouflage backdoor approaches that we had not adequately addressed. We have updated our related works section and comparison table to provide a more comprehensive comparison. While recent unlearning-activated backdoor techniques demonstrate similar concepts, they face practical limitations: (1) they require unlearning services which are still limited in availability, especially in vision domains, and (2) they need attacker intervention to initiate unlearning requests for activation. In contrast, DeferBad leverages standard fine-tuning procedures that are universally supported and achieves activation without any attacker intervention post-deployment.

.

Q: Could you provide more theoretical insights into why selective layer updates create an "unstable equilibrium"?

A: Thank you for this insightful question. We have added a detailed theoretical explanation in Appendix C. During concealment, selective layer updates force these layers to learn parameters that actively counteract the backdoor behavior present in other layers. This creates an unstable equilibrium because: 1) The updated layers must maintain specific parameter values to cancel out the backdoor signals from other layers - much like balancing opposing forces 2) These canceling parameters are not a natural solution for the model's primary task, but rather a forced state that requires precise maintenance 3) Any small perturbation to these carefully balanced parameters during fine-tuning will disrupt this artificial equilibrium This is why fine-tuning, which naturally seeks more stable solutions for the primary task, tends to break this delicate balance and allows the backdoor functionality to re-emerge.

.

Q: Test DeferBad with newer and more sophisticated backdoor attacks to assess its generalizability.

A: While we have demonstrated DeferBad's effectiveness with both patch-based (BadNet) and feature-space invisible attacks (ISSBA), we acknowledge that testing with additional sophisticated attacks like Bpp and WaNet would provide valuable insights into our method's generalizability. We plan to explore this direction in future work to further validate our approach across a broader range of attack methods.

.

Q: Test DeferBad against more recent backdoor defense methods.

A: Following this suggestion, we have conducted additional experiments with three recent defense methods (see Appendix D for detailed results:

• Scale-Up [1]: DeferBad achieved an SPC score of 0.2906 (benign: 0.3072, BadNet: 1.0)

• IDB-PSC [2]: Score of 0.1048 (benign: 0.118, BadNet: 1.0)

• RCS [3]: MAD scores of 3.43 (benign: 1.49, BadNet: 6.62)

These results show DeferBad effectively evades Scale-Up and IDB-PSC, while showing improved stealthiness against RCS compared to conventional BadNet.

.

Q: Provide justifications for DeferBad's effectiveness when all model layers are fine-tuned.

A: We acknowledge your point about Figure 2's results. Indeed, DeferBad shows varying effectiveness across different models and attack types with full-layer fine-tuning. While some configurations like VGG ISSBA and EfficientNet show lower effectiveness (below 20%), ResNet18 and VGG BadNet maintain substantial ASR even with full fine-tuning (maintaining ~94%, ~70%, ~60% respectively). Importantly, even in cases with lower performance, DeferBad consistently shows some level of backdoor reactivation (minimum ~10% ASR) compared to the pre-activation state, aligning with our design goal of achieving at least partial effectiveness across all fine-tuning scenarios.

.

Regarding GradCAM as a detection method:

We note that GradCAM serves as a fundamental component for several backdoor detection methods, such as SentiNet[4] and Februus [5]. Previous works [6] have also validated their stealthiness against GradCAM specifically to demonstrate potential resistance to GradCAM-based detection methods. Therefore, demonstrating indistinguishable GradCAM heatmaps provides meaningful insights into DeferBad's potential to evade such visual explanation-based detection methods.

.

[1]: "Scale-up: An efficient black-box input-level backdoor detection via analyzing scaled prediction consistency." ICLR 2023

[2]:"IBD-PSC: Input-level Backdoor Detection via Parameter-oriented Scaling Consistency." ICML 2024

[3]: "Randomized channel shuffling: Minimal-overhead backdoor attack detection without clean datasets." Neurips 2022

[4]: "Sentinet: Detecting localized universal attacks against deep learning systems." S&PW'20

[5]: "Februus: Input purification defense against trojan attacks on deep neural network systems." ACSAC'20

[6]: "Invisible backdoor attack with sample-specific triggers." ICCV'21

We thank the reviewer for their thorough review and constructive feedback.

Q1: Why assume that users do not perform backdoor defense on the fine-tuned model?

A: We appreciate this perspective on detection timing. Your point about performing detection at both stages is valid and reasonable. While users could indeed perform detection at both stages, checking pre-trained models is a common practice for security-conscious deployments, as a backdoored pre-trained model could influence the fine-tuned model's behavior. This early detection helps reduce both security risks and computational costs. Additionally, since fine-tuning is strictly controlled by users in a secure environment with carefully verified clean data and procedures, when a model is verified clean and undergoes this controlled fine-tuning process, it is counter-intuitive to expect backdoor functionality to emerge. This aligns with common security principles where clean input (verified model) and process (controlled fine-tuning) are assumed to produce safe output. We acknowledge that both perspectives have merit in different security contexts.

.

Q: Why is there no summary of the latest backdoor attacks and defense methods in the related work section?

A: Thank you for this suggestion. We have significantly updated the related work section to include recent developments, including clean-Image attacks, unlearning-activated backdoors, and three state-of-the-art defense methods (Scale-Up, RCS, and IDB-PSC). We have also added experimental results for these defense methods in our paper.

.

Q: Is this method still effective for fine-tuning models using datasets different from the pre-training dataset? For example, using CIFAR-10 to fine-tune a pre-trained model based on ImageNet.

A: We acknowledge that DeferBad is not effective in transfer learning scenarios. However, our threat model specifically focuses on third-party training delegation rather than pre-trained model distribution. In this scenario, organizations outsource their model training to third parties, and subsequent fine-tuning represents continuous improvement on the same distribution. This reflects real-world cases where organizations lack computational resources or expertise for full model training and delegate the training process while maintaining control over fine-tuning for ongoing improvements.

.

Q: Why weren't the latest defense methods and model behavior-based defense methods used in the experiments? A: Following this suggestion, we have conducted additional experiments with three recent defense methods, including model behavior-based approaches (see Appendix D for detailed results):

• Scale-Up: DeferBad achieved an SPC score of 0.2906 (benign: 0.3072, BadNet: 1.0)

• IDB-PSC: Score of 0.1048 (benign: 0.1187, BadNet: 1.0)

• RCS: MAD scores of 3.43 (benign: 1.49, BadNet: 6.62)

These results show DeferBad effectively evades Scale-Up and IDB-PSC, while showing improved stealthiness against RCS compared to conventional BadNet.

.

Q: The descriptions about parameter update and freeze in Lines 283 and 295 conflict with Lines 333 and 334.

A: We apologize for this confusion and have corrected the parameter update description in the revised version. To clarify: for models with batch normalization, we update the first k layers, while for models without batch normalization, we update the last k layers. The revised version now consistently reflects this distinction.

.

Q: Is k the same parameter in backdoor concealment and backdoor activation? If yes, doesn't this mean the attacker could control the fine-tuning? If not, please provide the value of k used in the backdoor concealment phase.

A: No, k values differ between phases. We apologize for not explicitly stating the concealment phase k value in the paper - this was an oversight on our part. For clarity: we use k_c=1 during concealment and k_a=4 during activation (where subscript c and a denote concealment and activation respectively). As shown in our extensive experiments with varying k_a values (Fig. 2), the attacker has no control over fine-tuning parameters.

Thank you for your continued engagement with our work.

1. Regarding the practicality of backdoor detection after events:

We appreciate the reviewer's concern about the threat model. We would like to note that similar scenarios of deferred backdoor activation have been actively studied in recent literature. For instance, Unlearning Activated Backdoor [1, 2, 3] research explores backdoor activation through unlearning events, establishing precedent for our threat model where backdoors activate after specific model updates. In these works, the authors acknowledge that while service providers can employ model scanning before and after events, "frequent scanning after each unlearning request is overwhelmingly time-consuming" [1].

DeferBad builds upon this established research direction while introducing several practical advantages:

• Activation occurs through routine fine-tuning in trusted environments
• No attacker intervention is required post-deployment and the entire process occurs within user-controlled operations

These characteristics make DeferBad particularly relevant to real-world scenarios where organizations regularly update their models in trusted environments. While we acknowledge the possibility of continuous scanning, our approach aligns with emerging research that recognizes the practical challenges of frequent model inspection after routine updates.

.

2. Regarding fine-tuning and data distribution shifts:

We have already extensively examined DeferBad's effectiveness under data distribution shifts through experiments with CIFAR10-C and Tiny ImageNet-C datasets [3] (Tables 4 and 6). These experiments use various corruption types (Gaussian noise, fog, JPEG compression) at different severity levels, precisely addressing the scenario of data shifting that the reviewer describes. Our results demonstrate DeferBad's effectiveness across these distribution shifts, showing its practical applicability in real-world settings where data distributions naturally evolve.

.

[1] UBA-Inf: Unlearning Activated Backdoor Attack with Influence-Driven Camouflage." USENIX Security 2024.

[2] Backdoor attacks via machine unlearning. AAAI 2024.

[3] Hidden poison: Machine unlearning enables camouflaged poisoning attacks. NeurIPS ML Safety Workshop. 2022.

[3] "Benchmarking Neural Network Robustness to Common Corruptions and Perturbations." ICLR 2018.