Mask and Restore: Blind Backdoor Defense at Test Time with Masked Autoencoder

Justifications of the last paragraph in Section 4.2.

The image-based score leverages the structural similarity between original image and its MAE restorations. When triggers are large and complex, the SSIM scores in the trigger regions are more salient, thus it is easy to detect such trigger. Otherwise when triggers are small, the structural difference between original image and MAE restorations are small, making it hard to detect triggers.

The label-based score works in an opposite manner. When triggers are small, it is likely that MAE masks can remove the triggers, thus the label prediction changes to the ground-truth. Otherwise when triggers are large, some parts of the triggers may remain in the MAE restorations, thus the model still predict test image as the target label.

In Sec. F.4, we have included related discussions on varying trigger size and the corresponding different behaviours of two scores.

Justifications of the last two sentences in Discussion and Limitation.

Our work focuses on local triggers. For invisible non-local triggers, we can apply an additional test-time image transformation to the test image. Although these transformations could not work on visible local triggers, they are likely to work on invisible global triggers. In (Shi et al., 2023), the authors deal with a similar task as ours. They first add some random noises to the image, and then use diffusion models to restore image. It's hard to incapacitate complex triggers (like IAB curves) using some global transformation without harming clean accuracies. As discussed in Sec.3, detecting the location of possible local triggers is still important. We believe the combination of test-time image transformation and our method is an interesting work to handle both local and non-local triggers.

ASR after defense.

We highlight that the studied task of test-time defense for black-box models is quite challenging. Only the single test image and its hard label predictions are available. Some high ASR occurs on challeging attacks like IAB. The corresponding triggers are frequently long curves going through the whole image or a couple of fragments. In these cases, the comparison methods completely fail, while ours obtain a decent result. Also, we consider both accuracies on clean image and backdoored images. Our method is not tuned to get the best ASR scores at the expense of clean accuracies.

Effective under the all-to-all setting.

We conducted IAB attack with all-to-all setting. The comparison results are list below. Our method still works the best in such setting.

Setting with local triggers.

Our work focuses on local triggers. Local triggers are easy to be implemented in the physical world, for example by adding a sticker to the image. Meanwhile, they are robust to photometric noises or geometric distortions. These unique properties indicate that backdoor defense methods designed for (invisible) full-image-size triggers may not be optimal for local triggers. In the paper, we show that test-time image transformations (including the advanced ones with diffusion models) do not work well. Research on test-time defense for local triggers is still meaningful.

We use the word 'local' as opposed to full-image-size. However, we do not restrict our work to small squared patches. In the paper, we consider several complex triggers. IAB uses sample-specific irregular cuerves. LC uses checkerboards at four distant corners. Blended uses an invisible patch. We design our method to be generalizable enough to handle all these cases.

Technical contributions.

As explained in the previous question, we try to handle diverse triggers within the realm of local ones. Given that we are solving test-time defense for black-box models where only one single test image and its hard label predictions are available, a unified solution for this task is not straightforward. In the tables, we compare with PatchCleanser that uses a two step masking. Its assumption that the entire trigger can be covered by a small rectangle mask is not applicable to LC and IAB attacks. Test-time image transformations also could not work well.

Our method simultaneously locate triggers and recover true labels. We innovatively integrate MAE into our method, and transform trigger detection into refining trigger scores in the token space. With the help of MAE reconstruction, we can successfully purify backdoored images with complex triggers like irregular curves without harming accuracies on clean images.

Topology refinement.

We would like to thank for pointing out these two interesting works. 'Topology' is an important and basic concept that encodes prior knowledge on backdoor triggers and networks. (R1 Trigger Hunting) is related to ours but for a different target. It considers the topology of triggers during the reverse engineering to identify Trojaned models. The authors explicitly apply a topological loss during the optimization of trigger masks. Differently, our work uses the idea of topology to sample better MAE masks. We iteratively generate topology-aware MAE masks based on trigger scores, and use MAE restorations to refine trigger scores. (R2 Topological Detection) is not relevant to ours as it considers the topology of neural networks rather than triggers.

Hyper-parameters.

Our method consists of several hyper-parameters. But we do not tune them for different tasks or datasets. Instead, we delicately designed our method so that the default hyper-parameters can be applied universally.

In Sec. 4.4, we use a set of $\tau_k$ as the initial thresholds and adjust them automatically during defense. As shown in Fig.5, the range of optimal thresholds is large after topology-aware refinement, thus the method is not sensitive to the choice of thresholds. In Sec. F.1-F.2, we include analysis on the topology sampling hyper-parameter and repeated times. The default values achieve a balance between performances and computation cost.

Motivation of introducing MAE. Other backdoor sample detection methods.

We highlight that the task of blind backdoor defense at test time for black-boxed models is practical yet challenging. Our goal is to recover the true labels, rather than detecting backdoor samples but refuse to make a decision. For a real system, a practical defense module is expected to return true labels regardless of inputs. Otherwise, the system service would be interrupted.

To the best of our knowledge, existing methods either requires knowing model details or additional validation data, or could not make correct predictions for both clean and backdoored images.

We show in the paper that test-time image transformation could not perform well. Naive trigger search in the image space could not generalize to complex triggers. Therefore, we are motivated to locate possible triggers and recover true labels simultaneously. The integration of MAE enable us to handle a variety of triggers in a unified manner. MAE is only used for inference without any updates. The increased overhead in inference time is still much lower than using diffusion models.

Performance of DDPM-based method.

We have made discussions in Sec. 3 and Sec. F.7 about the fundamental differences between ours and diffusion model-based method (DiffPure). DiffPure first adds a small amount of noise to the image and then uses a reverse generative process to recover the clean images. There are a few reasons about its unsatisfactory performances for backdoor image purification.

1. It applies a global transformation to the entire image, without specifically locating and removing triggers. The triggers may partially remain in the restored images, as shown in Fig. A.6-A.7. Thus the resulted images may still be predicted as the target label, leading to a high ASR and low BA.
2. Diffusion models are pretrained on a large resolution. For Cifar10 and GTSRB of size 32$\times$32, the diffusion model restored images after down-scaling may not be consistent with the original image in the clean regions.
3. Diffusion models could hallucinate some details not existing in the original images. For example, in the VGGFace2 dataset, features like eye-glasses, expressions, mouths are changed with diffusion models. These features are critical to recognizing face identity.

The last two reasons explain why clean accuracies are low for diffusion model-based defense.

Number of model architectures and attack methods being tested.

Please note that we are dealing with black-box models. Therefore, the model architectures should not affect the conclusions. That being said, we have provided results with a simple convolution network used in previous work and VGG16 backbone in Sec. F.3.

Since we work on test-time image purification, the diversity of triggers is more important than the number of attack methods. In the experiments, we evaluate our method against a variety of triggers, including different sizes of white patches and color patches, commonly seen icons, irregular curves, four distant checkerboards and invisible patches. We believe they are representative enough for local triggers.

Model repairing-based backdoor defense.

We highlight that our task is test-time defense for black-box models. Only one single test image and its hard label predictions are available. Model repairing-based backdoor defense is not applicable to our task. Their results cannot be directly compared with ours due to different settings.

MAE finetuning.

No, MAE is not updated for all experiments. Since only one test image (and possibly backdoored) is available, we believe there is no particular benefits in fine-tuing MAE.

Time complexity and benefits using MAE.

Please refer to the general response.

About stealthy but non-localized triggers.

Our work is tailored for the practical and important local triggers. Stealthy but non-localized triggers have different properties. The two types of triggers need to be handle separately. Stealthy triggers are more sensitive to image transformations. Differently for local triggers, how to detect their location is critical. In our proposed BDMAE, we leverage MAE to obtain trigger scores. They are not intended for non-localized triggers that span over the entire image.

Availability of MAE and out-of-distribution data.

We use the generic pretrained MAE to assist backdoor purification, which is strong enough to transfer to different downstream datasets. Our task is test-time defense. Out-of-distribution data are not related to the task.

Model learning from the MAE instead of the training data.

Our task is test-time defense. Each test image is purified on-the-fly. We don't use training data nor update MAE.