HÖLDER PRUNING: LOCALIZED PRUNING FOR BACKDOOR REMOVAL IN DEEP NEURAL NETWORKS

1. Could you provide any intuition of why the robust accuracy of Holder Pruning is much higher than others?

2. As CIFAR-10, CIFAR-100, and GTSRB are all datasets with small input sizes, it would be interesting to know the performance of the proposed defenses on datasets with larger input sizes, such as ImageNet or Tiny-ImageNet.

3. It seems that the caption of Table 1 is wrong, listing out wrong defense baselines.

4. A typo in Line 211: “an classifier” -> “a classifier”

See the weakness.

Q-(1): Many training-time defenses against backdooring attacks have been proposed in the resent. For instance, ABL [1], DBD [2], and CBD [3] propose to train a backdoor-free model with the poisoned dataset without any prior knowledge of the dataset's cleanliness. As the first two works are already considered in this paper, the authors need to rephrase line 128-129. If the definition of "in-training defense" is different from these prior work, I would ask the authors to explain the difference for a better understanding.

Q-(3): And at line 148, the final poisoned training dataset is defined as $D' = D \cup D_{poison}$, which infers that the size of the final training set is larger than the original clean dataset, i.e. $|D'| > |D|$. Most previous backdooring attacks poison a part of the clean samples and yield a poisoned training set the same size as the original training set. Therefore, I would ask, what is the implementation of dataset poisoning? Are all samples used for poisoning actually from $D$?

Q-(4): Does the Robust Accuracy (RA) measure the prediction on all poisoned samples in the training dataset? Or does it measure the accuracy on a test dataset with poisoning but correctly labeled?

Q-(5): In the setting of HP, the clean feature extractor is available, which enables a running time faster than the prior defenses. With the description at lines 241-242, the presence of a clean feature extractor actually indicates that some clean images are available upfront, which first does not match the definition in the defender model at lines 200-201 (i.e. the defender cannot reliably distinguish between clean and poisoned samples).

Q-(8): In Table 1 and Table 2, ANP defense leads to a significant natural performance degradation. In particular with CIFAR10, however, ANP shows the ability to preserve the natural performance in the original paper. Similar results have also been reproduced by the BackdoorBench [4]. Can the authors explain why ANP's performance is relatively low in this paper?

Q-(9): Across Table 1 and Table 2, although the baseline model is the same, the model performance of "Benign" training is always different within each dataset. In addition, since Table 2 shows a very high ACC on the GTSRB dataset with "Benign" training, does this mean HP in Table 1 actually harms the natural performance a lot?

[1] Li et al., "Anti-backdoor learning: Training clean models on poisoned data," in NeurIPS 2021.

[2] Huang et al., "Backdoor defense via decoupling the training process," in ICLR 2022.

[3] Zhang et al., "Backdoor Defense via Deconfounded Representation Learning, " in CVPR 2023.

[4] Wu et al., "BackdoorBench: A Comprehensive Benchmark of Backdoor Learning," in NeurIPS 2022.

This paper presents a backdoor removal framework based on the Hölder constant, which measures network sensitivity to localized regional changes. Although the approach is intuitive and the evaluation results show promise, there are several places that need improvement to enhance the overall quality of the paper. My questions are as follows.

The defender threat model described in section 2.5 appears to be weak and susceptible to vulnerabilities. It relies on the assumption of having access to a “clean feature extractor,” which is exclusively trained on untainted samples for the defender's use. In this setup, the authors assume that the defender trains only the classification head on top of the fixed, clean feature extractor for their specific task, with the data used to train this classification head being poisoned. This assumption raises several concerns. First, what data is assumed to train this “clean feature extractor”? Does it need to be trained on the same dataset as the downstream task? According to the authors in Line 24, the considered clean feature extractors are large-scale, pretrained vision encoders such as CLIP. However, such vision encoders already demonstrate robust zero-shot classification capabilities and achieve high accuracy on datasets like CIFAR-10 and CIFAR-100. In these cases, training an auxiliary MLP classifier becomes unnecessary, and mitigating potential backdoor attacks at this stage may lack practical value. Assuming the existence of a clean feature extractor also carries potential risks. Recent studies, such as [1], have demonstrated the feasibility of poisoning large-scale web datasets like LAION[2], which are frequently used for pretraining vision encoders. Moreover, even if trained on clean data, natural backdoors [3] can introduce unintended behaviors that could affect the observations reported in the paper. Thus, guaranteeing the cleanliness of the feature extractor is difficult.

Based on my understanding, the proposed pruning method focuses solely on inspecting neurons within the MLP classifier, under the assumption that the feature extractor is clean. However, the specific configurations used for the baseline methods remain unclear. Most pruning-based backdoor removal methods allow for manual configuration of the layers to inspect. For a fair comparison, all baseline methods should also be limited to operating on the MLP layers only, rather than on the entire network, including the feature extractor. The current text does not clarify the setup chosen for the baselines. If the authors evaluated the baseline methods across the entire network, it could lead to biased results and potentially incorrect conclusions, such as the claim of a 1000x speedup.

I noticed that the ASR (Attack Success Rate) of several well-known attacks reported in Table 1 is significantly lower than what is typically found in the literature. For instance, the ASR for BadNets, SIG, and WaNet are only 82.9%, 43.6%, and 20.4%, respectively, which is much lower than what has been reported in other backdoor removal studies, such as [4,5,6]. Could the authors clarify the underlying reasons for these discrepancies?

The evaluation results on more advanced backdoor attacks are missing, such as [7, 8, 9] The ablation study for the value of $\alpha$ used in Hölder constant is missing.

=== Reference

[1] Carlini, Nicholas, et al. "Poisoning web-scale training datasets is practical." 2024 IEEE Symposium on Security and Privacy (SP). IEEE, 2024.

[2] Schuhmann, Christoph, et al. "Laion-400m: Open dataset of clip-filtered 400 million image-text pairs." arXiv preprint arXiv:2111.02114 (2021).

[3] Tao, Guanhong, et al. "Backdoor vulnerabilities in normally trained deep learning models." arXiv preprint arXiv:2211.15929 (2022).

[4] Cheng, Siyuan, et al. "UNIT: Backdoor Mitigation via Automated Neural Distribution Tightening." arXiv preprint arXiv:2407.11372 (2024).

[5] Zhu, Mingli, et al. "Enhancing fine-tuning based backdoor defense with sharpness-aware minimization." Proceedings of the IEEE/CVF International Conference on Computer Vision. 2023.

[6] Qi, Xiangyu, et al. "Towards a proactive {ML} approach for detecting backdoor poison samples." 32nd USENIX Security Symposium (USENIX Security 23). 2023.

[7] Qi, Xiangyu, et al. "Revisiting the assumption of latent separability for backdoor defenses." The eleventh international conference on learning representations. 2023.

[8] Cheng, Siyuan, et al. "Deep feature space trojan attack of neural networks by controlled detoxification." Proceedings of the AAAI Conference on Artificial Intelligence. Vol. 35. No. 2. 2021.

[9] Zeng, Yi, et al. "Narcissus: A practical clean-label backdoor attack with limited information." Proceedings of the 2023 ACM SIGSAC Conference on Computer and Communications Security. 2023.