Mind Control through Causal Inference: Predicting Clean Images from Poisoned Data

Dear authors,

Thank you for your efforts in providing additional explanations and experiments. While I acknowledge the improvements, several concerns remain unaddressed:

Answers to Q1 and Q7:

From my understanding, MCCI’s effectiveness over CBD stems primarily from the cut-off of the spurious path via Backdoor Adjustment, implemented using the AIN model. This approach leverages frequency transformation (via DCT) to amplify differences between poisoned and benign samples in the latent space. Consequently, the success of the AIN model in indicating poisoned samples is critical for recovering clean labels, making the AIN model with DCT the cornerstone of MCCI.

However, as demonstrated in the adaptive attack (Appendix O), employing a smooth trigger (e.g., the LowFrequency (LF) attack) can bypass AIN’s indication mechanism, leading to MCCI's failure. In Theorem 4.4, the satisfaction of a backdoor attack $A$ is a prerequisite for causality analysis. Yet, the adaptive attack with the smooth trigger meets this condition, while MCCI fails to defend against it. This observation suggests that the causality, despite being a conceptual motivation, lacks robust theoretical backing for the defense, again demonstrating that the AIN model and DCT are the core of the method.

Another minor comment is that using the smooth trigger is similar to the existing attack LF. Thus, mentioning such a design as an adaptive attack is not adequate.

Hence, my doubt remains in the emphasis on the connection of the causal graph to the backdoor defense as the central contribution of this work.

Answer to Q5

Thank you for detailing additional experimental setups. However, Appendix F still needs to include important specifics about the considered backdoor attacks. For instance, WaNet’s hyperparameters, such as the noise ratio, grid size $k$, and warping strength $s$, remain undefined. These omissions hinder a comprehensive understanding and reproducibility of the experiments.

Answer to Q6

First, considering that the poisoning rate is 10% by default, many defenses[1,2,3,4] have proven that backdoor attacks like BadNets, Blend, ISSBA, WaNet, etc., while no defense present, can achieve high ASR even with using data augmentations during the model training. Thus, the argument that using augmentations hinders the backdoor effect is not correct.

Regarding defenses related to this work, ABL and CBD don't use any data augmentation, aiming for stable backdoor learning but compromising clean accuracy. In contrast, defenses like DBD and D-ST incorporate data augmentations, achieving strong defensive performance without significant clean accuracy reduction. Since MCCI is a training-time method that disentangles samples in latent space, rather than splitting the dataset for the consequent model training as DBD or D-ST do, does MCCI always need to remove data augmentations to maintain defensive efficacy, i.e., at the cost of the clean accuracy reduction?

---

In summary, I appreciate the contribution of integrating Backdoor Adjustment with DCT into model training. However, I note that elements such as the causal graph (which lacks a solid and strong connection to MCCI) and the frequency transformation have been employed in prior defenses [5,6]. Moreover, MCCI demonstrates limited robustness against advanced attacks like LF and stays behind state-of-the-art methods that achieve robust defense without compromising clean accuracy. Consequently, I cannot vote for the acceptance of the paper and my score remains unchanged.

References:

[1] Chen et al., "Effective Backdoor Defense by Exploiting Sensitivity of Poisoned Samples," NeurIPS 2022.

[2] Zhu et al, "The victim and the beneficiary: Exploiting a poisoned model to train a clean model on poisoned data," CVPR 2023.

[3] Huang et al, "Backdoor defense via decoupling the training process," ICLR 2022.

[4] Gao et al, " Backdoor defense via adaptively splitting poisoned dataset," CVPR 2023.

[5] Zhang et al., "Backdoor Defense via Deconfounded Representation Learning," CVPR 2023.

[6] Pal et al., "Backdoor Secrets Unveiled: Identifying Backdoor Data with Optimized Scaled Prediction Consistency," ICLR 2024.

Q1. Detailed comparison between MCCI and CBD

Thanks for raising the insightful question. We firstly admit that both MCCI and CBD focuses on leveraging causal inference to train a anti-backdoor learning model. However, there are several distinct differences between MCCI and CBD.

Firstly, our proposed method is rigorously supported by causal proof, unlike CBD. Although both approaches utilize causal graphs to analyze backdoors and identify the spurious path between images and labels, our defense method is based on causal inference theory, specifically backdoor adjustment. This provides a solid theoretical foundation. Conversely, after analyzing the causal graph, CBD found it challenging to apply causal inference theory directly to solve the problem. Consequently, they turned to disentangling the representation. While this approach is effective, it lacks the theoretical substantiation that our method provides, relying more on intuitive than formal theoretical support.

Secondly, A major advantage of MCCI is its ability to consistently recover the original true labels of backdoored images, a feat not easily achieved by the CBD method. As illustrated in Table 1 of our manuscript, the ARR of CBD suffers under certain attacks like Blend, WaNet, and ISSBA, whereas our method demonstrates consistently high ARR across all evaluated attacks.

Thirdly, the network design of MCCI is also significantly different from CBD. Following the second point, we have incoporated special network designs to encourage the model to recover the original true labels for the backdoor images. For example, the freqeuncy spectrum in AIN structure is introduced to better distinguish backdoor and clean inputs; the AIN structure is intentionally constructed with a small neural network so that the backdoor features can be easier to be captured.

Fourthly, the loss functions in MCCI and CBD are also different. We have opted not to incorporate any additional mutual information loss as used in CBD because we aim to maintain training efficiency and facilitate scaling to large pre-trained models like ViT, CLIP, and BLIP. Our method has shown to be effective even with large models, a benefit not observed in CBD.

Q2. Loss functions formulation

Sorry for the confusion brought by our formulations. Firstly, there is only a single loss function $\ell(C(g(AIN_{\theta^{t}\_{AIN}}(x_{dct}),SFRN_{\theta^{t}_{SFRN}}(x))), y)$, and the loss function is actually instantiated as the cross entropy loss in our experiments. (Please see descriptions in Line 289).

Q3. Setting Justification

Firstly, we'd like to emphasize that MCCI only requires a small set of clean images (e.g., 1, 5, 10) to recover the original, correct labels for backdoor images, which is a quite easy assumption in practice. Secondly, using additional information from the validation dataset is also a valid assumption, which has been made by the previous papers (e.g, [1]). Thirdly, MCCI can also work out well with the clean images sampled from the training dataset.

Q4. The choice of DCT and DFT

Thank you for the question. Since our method is inspired by the frequency spectrum attack proposed in [3], our choice of DCT also follows from this paper [3].

Q5. Clarifications on the experimental setups

Sorry for the confusion brought by our writing. We have incorporated detailed experimental setups in the updated manuscript. Please check Appendix G-I for more details.

Q6. More details about the training setup

The details of our training recipe are provided in Appendix I. It is noted that the main reason for the performance gap is because we didn't apply any data augmentations in the experiments, such as random rotation, shifting. This choice follows the rationale in the ABL. Specifically, data augmentations potentially hinder the backdoor effect [2].

Q7. Low-frequency (LC) attack

We appreciate your insightful feedback and acknowledge that our defense method, while robust, is not a panacea. As you rightly pointed out, the use of the frequency spectrum as the representation of an attack may not defend against attacks specifically designed to evade detection by the Attack Indication Network (AIN) (like low-frequency attack). In response to your suggestion, we have included a paragraph discussing the limitations of our approach (Appendix P) to provide a balanced view.

Moreover, we have conduced additional adaptive attack experiments(Appendix O) using the smooth trigger as you suggested [3]. In particular, we adopt their strategy by updating the smooth trigger with the perturbation that remains after the low-pass filter for each iteration subject to this trigger is also capable of launching successful backdoor attack. The remaining parts of the filter perturbation can be interpreted as $t'=t*g$. Here, $t'$ is the result of the perturbation after convolving with the low-pass filter $g$ in the image domain. Hence the poisoned image can be expressed as $\hat{x}_i={x}_i+t'$. The optimization process can be written as follows:

$\min_{t} \sum_{i=1}^{|D_b|} L(x_i+ t*g,y_{t};\theta_{p}), s.t. \theta_{p}=\min_{\theta} (\sum_{i=1}^{|D_{c}|} L(x_i,y_i;\theta)+ \sum_{i=1}^{|D_b|} L( \hat{x}\_i, y_{t}; \theta) ).$

This bilevel optimization function aims to find a smooth pattern $t*g$, which falls within the range of the low-pass filter $g$, and can be adopted as a backdoor trigger to successfully compromise the model. The results in the table (see row 'Smooth Trigger') show that this smooth trigger can backdoor the model. However, the extent of the backdoor is substantially reduced after finetuning the model with a small set (25) of clean images for a few epochs (10), as shown in the last row.

Furthermore, we emphasize that the use of the frequency spectrum to indicate attacks serves as a proof of concept for our broader method of Backdoor Adjustment for Backdoor Attack. ($\mathbb{E}[Y|I=do(i)]=\mathbb{E}[\sum_{a}P(Y|i,a)P(a)] = \mathbb{E}_A\mathbb{E} \left[ Y|i, A \right]$) This method posits that if more sophisticated input-level backdoor detection methods become available in the future, we could readily adapt our approach to incorporate these new methods in place of the frequency spectrum to represent $A$. This adaptability highlights a promising direction for future research in enhancing the robustness of models against backdoor attacks.

Q8. More Defense Baselines

Thanks for the great question. We rerun the experiments of D-ST on the popular benchmark BackdoorBench (https://github.com/SCLBD/BackdoorBench). The hyperparameters are all same as the original paper. For example, clean ratio is set as 0.20, poison ratio is set as 0.05. The following table shows the results of D-ST on the CIFAR-10 dataset.

It is shown that the D-ST achieves a worse performance on all of the three metrics, compared to our MCCI.

[1] Guo J, Li A, Liu C. Aeva: Black-box backdoor detection using adversarial extreme value analysis. arXiv preprint arXiv:2110.14880. 2021 Oct 28.

[2] Liu Y, Ma X, Bailey J, Lu F. Reflection backdoor: A natural backdoor attack on deep neural networks. InComputer Vision–ECCV 2020: 16th European Conference, Glasgow, UK, August 23–28, 2020, Proceedings, Part X 16 2020 (pp. 182-199). Springer International Publishing.

[3] Yi Zeng, Won Park, Z Morley Mao, and Ruoxi Jia. Rethinking the backdoor attacks’ triggers: A frequency perspective. In Proceedings of the IEEE/CVF international conference on computer vision, pp. 16473–16481, 2021.

Thanks for the timely response! We are happy to address these continual concerns.

Response to your concern about Q1 and Q7

We would like to emphasize that the main contribution of our paper is the introduction of a novel causal-inspired framework, which leverages the classical backdoor adjustment theory from causal inference to train backdoor-free models. The key challenge we aim to address is: How can we recover the original true labels for backdoor samples? This problem cannot be effectively solved by existing baseline methods. Importantly, this challenge has been frequently acknowledged and highlighted by the research community [1–2], yet there are currently no effective solutions specifically designed to address it.

While we acknowledge that the attack indicator used in our framework might not be an Oracle-level solution and could face limitations against certain types of strong backdoor attacks, we encourage reviewers to focus on the significant advantages introduced by MCCI.

Finally, we would like to note that the proposed MCCI framework is designed to integrate seamlessly with other attack indicators beyond DCT in future work. We anticipate that subsequent research will enhance the robustness of our approach by introducing more advanced attack indicators.

Response to your concern about Q5

We utilized the default settings of the attack methods in our experiments, as defined in well-established benchmarks BackdoorBox (https://github.com/THUYimingLi/BackdoorBox/tree/main). For instance, in the case of WaNet, we set the noise ratio to twice the poisoning ratio, grid size $𝑘=4$, grid_rescale to 1, and warping strength $s=0.5$. These detailed settings have now been included in the Appendix for reference.

Response to your concern about Q6

We would like to clarify that MCCI does not rely on any assumptions about "removing data augmentations." The removal of data augmentations in our experiments follows the setup used in ABL. Additionally, this removal is applied uniformly across all baseline methods, not just MCCI. While we acknowledge the role of data augmentation in improving clean accuracy, our primary objective is to evaluate defense performance without these additional operations. This approach ensures a more equitable and unbiased comparison.

[1] Wu B, Chen H, Zhang M, Zhu Z, Wei S, Yuan D, Shen C. Backdoorbench: A comprehensive benchmark of backdoor learning. Advances in Neural Information Processing Systems. 2022 Dec 6;35:10546-59.

[2] IEEE Trojan Removal Competition (https://www.trojan-removal.com)

Q1. Key challenge of MCCI

Thank you for acknowledging our contributions to addressing the challenging problem of "How can we recover the original true labels for backdoor samples?". We would like to respectfully clarify that MCCI is not merely an assembly of AIN and SFRN. On the contrary, the design of MCCI is deeply rooted in the backdoor adjustment theory from causal inference.

...why SFRN cannot learn the backdoor feature when AIN is present and functional.

Thanks for the great question. We'd like to mention that we have incorporated two special designs to suppress the SFRN to capture backdoor features and encourage the AIN to capture clean features. Firstly, as illustrated in Remark 4.5 (Design Guidelines for AIN). Specifically, the AIN is intentionally designed to have a much smaller structure than the SFRN, as backdoor patterns are simpler and quicker to learn than normal patterns, as evidenced by prior work [1-4]. Thus, we use a weaker model for AIN (a 6-layer CNN) compared to the SFRN (e.g., ViT). This weaker structure inherently limits AIN's capacity to learn complex semantic features, allowing it to focus primarily on simple and easily detectable patterns. Secondly, the inputs to AIN and SFRN differ: AIN receives the frequency spectrum of the image, while SFRN processes the original image. Since the original image contains more semantic features than its frequency spectrum, this design further guides AIN to capture the trigger patterns, while SFRN learns the more complex semantic features.

We have also provided relevant empirical results in Figure 3 to further demonstrate the separation ability of the MCCI framework.

I suggest that the author specify the limited application scenario of MCCI before the method description.

Thanks again for the great suggestions! We have already incorporated this limitation into our Limitation part. Please check our conclusion and Appendix P for more details.

Q2: The use of data augmentations

Thanks for the great suggestions! To align our experimental setup with the existing advanced baseline methods (e.g, DBD, ASD, D-ST), we add two additional data augmentations (random cropping and random horizontal flipping) in the training process for all the baselines and our methods. The choice of these two data augmentation operations follows that in ASD (please check https://github.com/KuofengGao/ASD/blob/main/config/baseline_asd.yaml for more details). The other experimental settings (e.g., learning rate, optimizer, # epoch, etc.) are unchanged. We compare the effectivenss of our method with the baselines on the CIFAR-10 dataset. The following table presents the resutls:

Note that each cell contains three values: clean accuracy (CA), attack success rate (ASR), and attack recovery rate (ARR). It is shown that data augmentations can boost clean accuracy of our method, while also maintaining its ability to achieve low ASR and consistently high ARR. Therefore, MCCI demonstrates robustness to data augmentations during the training stage, as evidenced by its strong performance in both data-augmented and non-data-augmented scenarios.

[1] Qin Liu, Fei Wang, Chaowei Xiao, and Muhao Chen. From shortcuts to triggers: Backdoor defense with denoised poe. arXiv preprint arXiv:2305.14910, 2023

[2] Zaixi Zhang, Qi Liu, Zhicai Wang, Zepu Lu, and Qingyong Hu. Backdoor defense via deconfoundedrepresentation learning. CVPR, 2023

[3] Yu D, Zhang H, Chen W, et al. Indiscriminate poisoning attacks are shortcuts[J]. 2021.

[4] Sandoval-Segura P, Singla V, Fowl L, et al. Poisons that are learned faster are more effective[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2022: 198-205.

Thank you for your efforts in conducting experiments related to data augmentation. These experiments demonstrate the robustness of MCCI and its ability to maintain high, clean accuracy. While I am currently more confident in MCCI's effectiveness, I would like to discuss one final concern below with the authors and other reviewers.

Explanation of empirical observation of SFRN's learning

After reading the authors' reply, it remains unclear why SFRN does not simultaneously learn any backdoors and how the causal analysis in this work proves this phenomenon. At least, this phenomenon cannot be explained directly by the causal graph in Figure 2 since the trigger pattern is not erased from input samples during SFRN training. I speculate that the main influence may lie in the concatenation of $z$ and $z_f$.

As shown by the t-SNE visualization in Figure 3, AIN clearly separates poisoned samples from clean samples, indicating that AIN makes deterministic and highly confident predictions only on poisoned samples for the backdoor target. Does the high prominence of AIN's predictions mainly dominate the reduction of learning loss on poisoned samples, thereby weakening SFRN's learning of the backdoor?

If this is true, for SFRN, is the confounding bias related to the backdoor (as shown in Figure 2) actually broken due to the cut-off of $A \rightarrow Y$, rather than $A \rightarrow I$ ?

I sincerely appreciate the authors’ explanation for my final concern. While I maintain my view that the separate learning processes of AIN and SFRN depend on the empirical design of the MCCI framework, I acknowledge that the extensive experiments demonstrate the effectiveness of MCCI framework. Furthermore, the discussion surrounding this empirical design significantly enhances the clarity of the proposed method.

Please ensure that all additional experiments and explanations from our discussion, which contribute to improving the method’s clarity, are incorporated into the revision.

I thank the authors for their substantial efforts in the rebuttal and I have decided to raise my score.

Thank you very much for recognizing the challenges in our settings and the novelty of our method! We also appreciate your excellent question. We reran the experiments of D-ST on the popular benchmark BackdoorBench(https://github.com/SCLBD/BackdoorBench). The hyperparameters were set exactly as specified in the original paper. For example, the clean ratio was set at 0.20, and the poison ratio was set at 0.05. The table below shows the results of D-ST on the CIFAR-10 dataset.

It is shown that the D-ST achieves a worse performance on all of the three metrics, compared to our MCCI.

Q1. More experiments with VGG-16 and MobileNet

Thanks for the insightful question. According to your suggestions, we have evaluated the effectiveness of our method by using VGG16 and MobileNet as the backbone model of SFRN. We chose BadNets on the Cifar10 dataset as a simple proof-of-concept. The results are presented below:

Q2. Low-frequency (LC) attack

We appreciate your insightful feedback and acknowledge that our defense method, while robust, is not a panacea. As you rightly pointed out, the use of the frequency spectrum as the representation of an attack may not defend against attacks specifically designed to evade detection by the Attack Indication Network (AIN) (like low-frequency attacks). In response to your suggestion, we have included a paragraph discussing the limitations of our approach (Appendix P) to provide a balanced view.

Moreover, we have conducted additional adaptive attack experiments(Appendix O) using the smooth trigger as you suggested [3]. In particular, we adopt their strategy by updating the smooth trigger with the perturbation that remains after the low-pass filter for each iteration subject to this trigger is also capable of launching a successful backdoor attack. The remaining parts of the filter perturbation can be interpreted as $t'=t*g$. Here, $t'$ is the result of the perturbation after convolving with the low-pass filter $g$ in the image domain. Hence the poisoned image can be expressed as $\hat{x}_i={x}_i+t'$. The optimization process can be written as follows:

$\min_{t} \sum_{i=1}^{|D_b|} L(x_i+ t*g,y_{t};\theta_{p}), s.t. \theta_{p}=\min_{\theta} (\sum_{i=1}^{|D_{c}|} L(x_i,y_i;\theta)+ \sum_{i=1}^{|D_b|} L( \hat{x}\_i, y_{t}; \theta) ).$

This bilevel optimization function aims to find a smooth pattern $t*g$, which falls within the range of the low-pass filter $g$, and can be adopted as a backdoor trigger to successfully compromise the model. The results in the table (see row 'Smooth Trigger') show that this smooth trigger can backdoor the model. However, the extent of the backdoor is substantially reduced after finetuning the model with a small set (25) of clean images for a few epochs (10), as shown in the last row.

Furthermore, we emphasize that the use of the frequency spectrum to indicate attacks serves as a proof of concept for our broader method of Backdoor Adjustment for Backdoor Attack. ($\mathbb{E}[Y|I=do(i)]=\mathbb{E}[\sum_{a}P(Y|i,a)P(a)] = \mathbb{E}_A\mathbb{E} \left[ Y|i, A \right]$) This method posits that if more sophisticated input-level backdoor detection methods become available in the future, we could readily adapt our approach to incorporate these new methods in place of the frequency spectrum to represent $A$. This adaptability highlights a promising direction for future research in enhancing the robustness of models against backdoor attacks.

Q1. More clarifications

We sincerely appreciate your detailed review and thoughtful suggestions. Your feedback has significantly improved the clarity and quality of our paper. Following your suggestions, we have made several changes, summarized below and highlighted in blue in the latest version:

• Definition of Attack Indicator. We have defined the attack indicator in the introduction to help readers better understand its role in our method.

• Clarifications in Assumptions and Definitions. We have revised Assumption 3.3 and Definition 4.1 to make them more formal and reduce ambiguity.

• Expectation vs. Conditional Probability. Thank you for raising this important question. We adopt the expectation rather than the conditional probability distribution because we follow the framework of causal inference to address the backdoor detection problem. Specifically: In causal inference, one of the main goals is to determine the expected outcome (treatment effect) for a given unit $X$, expressed as $\mathbb{E}[Y|x]$. To achieve this, the backdoor adjustment theory is employed to estimate outcomes free from the influence of spurious paths. This aligns naturally with the backdoor detection problem, and we leverage similar concepts and forms to frame our approach.

• Meaning of "ideal". Thank you for pointing out the need for additional explanation. We have expanded our discussion to clarify why the frequency spectrum is an ideal attack indicator. Specifically: An intuitive way to indicate the presence of an attack is by leveraging off-the-shelf backdoor detection algorithms [1-2]. However, these approaches depend on already backdoored models and require computationally intensive processes, which are impractical for representing $A$ as an input in our setting, where a clean model is trained directly from a poisoned dataset. Hence there is no backdoored model in our settings. Inspired by input-level detection methods [3], we use the frequency spectrum of each image to indicate the presence of an attack. This approach is effective due to the significant differences between backdoored and clean images in the frequency domain. Its proactive (no need an alreay backdoored model)and computationally efficient nature, along with its independence from already trained backdoored models, makes it an ideal attack indicator.

• Typo Corrections in Figures 4 and 5. We have corrected the typographical errors in Figures 4 and 5. Specifically, DACC refers to clean accuracy, and DACP refers to the Attack Recovery Rate. We apologize for the inconsistency in naming.

Q2. Clarifications on the correlation of our method and the causal model

We sincerely appreciate your question regarding the correlation between our method and the causal model. We would like to provide further clarification on these associations.

To propose a defense method capable of training a clean model on a poisoned dataset, it was first necessary to understand the intrinsic differences between training a poisoned model and a clean model under such conditions. Specifically, we utilized causal inference and constructed a causal model, as you summarized in the review. Our analysis revealed that the underlying issue leading to the poisoned model is the presence of a spurious path in the causal model. Building on this understanding, we sought an approach to eliminate this spurious path. Inspired by the backdoor adjustment technique in causal inference—originally designed to address such spurious paths—we framed our problem and developed our method based on this theoretical foundation.

In our work, there is a straightforward way to ensure Assumption 2 in your summary ("The inductive biases are such that the modified model will separate clean (semantic) features into the output of SFRN and trigger features into the output of AIN"), as illustrated in Remark 4.5 (Design Guidelines for AIN). Specifically, the AIN is intentionally designed to have a much smaller structure than the SFRN, as backdoor patterns are simpler and quicker to learn than normal patterns, as evidenced by prior work [6-9]. Thus, we use a weaker model for AIN (a 6-layer CNN) compared to the SFRN (e.g., ViT). This weaker structure inherently limits AIN's capacity to learn complex semantic features, allowing it to focus primarily on simple and easily detectable patterns. Additionally, the inputs to AIN and SFRN differ: AIN receives the frequency spectrum of the image, while SFRN processes the original image. Since the original image contains more semantic features than its frequency spectrum, this design further guides AIN to capture the trigger patterns, while SFRN learns the more complex semantic features. We also find your suggestion of adding a mutual information loss between the embeddings from AIN and SFRN intriguing, as it could promote greater independence between the two. However, implementing this approach may require introducing an additional model [10] to approximate the mutual information during training, adding complexity to the method. Given that our approach is designed with large pre-trained models in mind, incorporating additional structures and losses could make the method cumbersome. Since the current approach already achieves SOTA performance, we opted to maintain its simplicity.

Q3. Potential limitations of MCCI

We appreciate your insightful feedback and acknowledge that our defense method, while robust, is not a panacea. As you rightly pointed out, the use of the frequency spectrum as the representation of an attack may not defend against attacks specifically designed to evade detection by the Attack Indication Network (AIN) (like low-frequency attack). In response to your suggestion, we have included a paragraph discussing the limitations of our approach (Appendix P) to provide a balanced view.

Moreover, we have conduced additional adaptive attack experiments(Appendix O) using the smooth trigger as you suggested [3]. In particular, we adopt their strategy by updating the smooth trigger with the perturbation that remains after the low-pass filter for each iteration subject to this trigger is also capable of launching successful backdoor attack. The remaining parts of the filter perturbation can be interpreted as $t'=t*g$. Here, $t'$ is the result of the perturbation after convolving with the low-pass filter $g$ in the image domain. Hence the poisoned image can be expressed as $\hat{x}_i={x}_i+t'$. The optimization process can be written as follows:

$\min_{t} \sum_{i=1}^{|D_b|} L(x_i+ t*g,y_{t};\theta_{p}), s.t. \theta_{p}=\min_{\theta} (\sum_{i=1}^{|D_{c}|} L(x_i,y_i;\theta)+ \sum_{i=1}^{|D_b|} L( \hat{x}\_i, y_{t}; \theta) ).$

This bilevel optimization function aims to find a smooth pattern $t*g$, which falls within the range of the low-pass filter $g$, and can be adopted as a backdoor trigger to successfully compromise the model. The results in the table (see row 'Smooth Trigger') show that this smooth trigger can backdoor the model. However, the extent of the backdoor is substantially reduced after finetuning the model with a small set (25) of clean images for a few epochs (10), as shown in the last row.

Furthermore, we emphasize that the use of the frequency spectrum to indicate attacks serves as a proof of concept for our broader method of Backdoor Adjustment for Backdoor Attack. ($\mathbb{E}[Y|I=do(i)]=\mathbb{E}[\sum_{a}P(Y|i,a)P(a)] = \mathbb{E}_A\mathbb{E} \left[ Y|i, A \right]$) This method posits that if more sophisticated input-level backdoor detection methods become available in the future, we could readily adapt our approach to incorporate these new methods in place of the frequency spectrum to represent $A$. This adaptability highlights a promising direction for future research in enhancing the robustness of models against backdoor attacks.

Q4. More Clarification on experimental setups

Q4.1 Clarifications on the lower clean accuracy

The details of our training recipe are provided in Appendix I. It is noted that the main reason for the performance gap is that we didn't apply any data augmentations in the experiments, such as random rotation, or shifting. This choice follows the rationale in the ABL. Specifically, data augmentations potentially hinder the backdoor effect [14].

Q4.2 Evaluating MCCI on more datasets

Thanks for the question. Firstly, we'd like to argue that the choice of datasets follows the previous well-established works [11-12] in machine learning safety and trustworthy AI. But to further demonstrate the effectiveness of our method, we compare our method with the baselines on the popular GTSRB dataset. The results are shown below:

It is noted that each cell contains three values, which correspond to clean accuracy (CA), attack success rate (ASR), and attack recovery rate (ARR). It is shown that our method consistently shows good performance in recovering original labels for backdoor samples, while also maintaining a good clean accuracy and a low attack success rate.

Q4.3 Comparison with [13]

Thank you for bringing this intreseting related work to our attention. We have cited and compared it in the related work section. Moreover, we have added additional experiments of it on CIFAR10, the results can be shown in below. However, we respectfully argue that it may not fulfill our threat model. This method proposes adding a backdoor $t'$, whose target label is its original label, to the current backdoor $t$. In the inference stage, adding this $t'$ to every sample supposedly suppresses backdoored predictions. To achieve this, the method first requires an additional backdoor detection tool to isolate backdoored samples and an advanced predictor to identify the original labels of these samples. However, in our setting, defenders do not have access to these additional tools. We also contend that assuming the availability of such tools is impractical for defending against backdoors in large pre-trained models due to the vast amount of training data and the lack of comparably effective prediction models.

It is noticed that NAB achieves a higher clean accuracy compared to our method. The advantages might be attributed to the additional backdoor detection tool and the advanced predictor introduced by NAB.

Q5. Source code issues

We have now published our code. You can find it here https://anonymous.4open.science/status/BKD_BKD_ICLR-503E.

Thank you for your detailed review and for pointing out the typos. We have corrected all the typos you identified in the latest version.

[1] Qi X, Xie T, Wang J T, et al. Towards a proactive {ML} approach for detecting backdoor poison samples[C]//32nd USENIX Security Symposium (USENIX Security 23). 2023: 1685-1702.

[2] Minzhou Pan, Yi Zeng, Lingjuan Lyu, Xue Lin, and Ruoxi Jia. {ASSET}: Robust backdoor data detection across a multiplicity of deep learning paradigms. In 32nd USENIX Security Symposium (USENIX Security 23), pp. 2725–2742, 2023

[3] Yi Zeng, Won Park, Z Morley Mao, and Ruoxi Jia. Rethinking the backdoor attacks’ triggers: A frequency perspective. In Proceedings of the IEEE/CVF international conference on computer vision, pp. 16473–16481, 2021.

[4] Shalit U, Johansson F D, Sontag D. Estimating individual treatment effect: generalization bounds and algorithms[C]//International conference on machine learning. PMLR, 2017: 3076-3085.

[5] Yao L, Chu Z, Li S, et al. A survey on causal inference[J]. ACM Transactions on Knowledge Discovery from Data (TKDD), 2021, 15(5): 1-46.

[6] Qin Liu, Fei Wang, Chaowei Xiao, and Muhao Chen. From shortcuts to triggers: Backdoor defense with denoised poe. arXiv preprint arXiv:2305.14910, 2023

[7] Zaixi Zhang, Qi Liu, Zhicai Wang, Zepu Lu, and Qingyong Hu. Backdoor defense via deconfoundedrepresentation learning. CVPR, 2023

[8] Yu D, Zhang H, Chen W, et al. Indiscriminate poisoning attacks are shortcuts[J]. 2021.

[9] Sandoval-Segura P, Singla V, Fowl L, et al. Poisons that are learned faster are more effective[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2022: 198-205.

[10] Hjelm R D, Fedorov A, Lavoie-Marchildon S, et al. Learning deep representations by mutual information estimation and maximization[J]. arXiv preprint arXiv:1808.06670, 2018.

[11] Guo J, Li Y, Chen X, Guo H, Sun L, Liu C. Scale-up: An efficient black-box input-level backdoor detection via analyzing scaled prediction consistency. arXiv preprint arXiv:2302.03251. 2023 Feb 7.

[12] ZeroMark: Towards Dataset Ownership Verification without the Verification Watermark Disclosure

[13] Liu et al., Beating Backdoor Attack at Its Own Game, https://arxiv.org/abs/2307.15539

[14] Yunfei Liu, Xingjun Ma, James Bailey, and Feng Lu. Reflection backdoor: A natural backdoor attack on deep neural networks. In ECCV, 2020.

Q1. Experiments with data augmentations

Thanks for the great suggestions! To align our experimental setup with the existing advanced baseline methods (e.g, DBD, ASD, D-ST), we add two additional data augmentations (random cropping and random horizontal flipping) in the training process for all the baselines and our methods. The choice of these two data augmentation operations follows that in ASD (please check https://github.com/KuofengGao/ASD/blob/main/config/baseline_asd.yaml for more details). The other experimental settings (e.g., learning rate, optimizer, # epoch, etc.) are unchanged. We compare the effectivenss of our method with the baselines on the CIFAR-10 dataset. The following table presents the resutls:

Note that each cell contains three values: clean accuracy (CA), attack success rate (ASR), and attack recovery rate (ARR). It is shown that data augmentations can boost clean accuracy of our method, while also maintaining its ability to achieve low ASR and consistently high ARR. Therefore, MCCI demonstrates robustness to data augmentations during the training stage, as evidenced by its strong performance in both data-augmented and non-data-augmented scenarios.

Q2. Overly defensive tone

We appreciate you pointing out the overly defensive tone, as we also believe it potentially leads to misunderstanding about the contribution of our work. In this paper, we may have devoted too much space to describing the theoretical framework while dedicating relatively less attention to highlighting the empirical contributions. Specifically, our method not only prevents target label predictions but also effectively and robustly recovers the original, correct labels for backdoored images while maintaining high clean accuracy—a unique feature absent in previous models, as supported by extensive experiments. To address this, we have revised the abstract, introduction, and limitations sections to emphasize this aspect (highlighted in blue). We have also adjusted the order of the contributions to bring this point to the forefront. Additionally, we have revised the methods section to underscore the empirical contributions more clearly. Thank you for your detailed review. We also noticed that the newly added paragraph in Appendix P was too long, so we have separated it for clarity. Furthermore, we corrected the citation and link typos and made necessary updates to the terms in the equations.