菜单

关于 🐙 GitHub
arXiv 提交日期: 2026-07-07
📄 Abstract - Two Sides of the Same Coin: Learning the Backdoor to Remove the Backdoor

The community has recently developed various training-time defenses to counter neural backdoors introduced through data poisoning. In light of the observation that a model learns poisonous samples responsible for the backdoor easier than benign samples, these approaches either use a fixed threshold of the training loss for splitting or iteratively learn a reference model as an oracle for identifying benign samples. In particular, the latter has proven effective for anti-backdoor learning. Our method, HARVEY, leverages a similar yet crucially different technique: learning an oracle for poisonous rather than benign samples. Learning a backdoored reference model is significantly easier than learning a reference model on benign data. Consequently, we can identify poisonous samples much more accurately than related work identifies benign samples. This crucial difference enables near-perfect backdoor removal as we demonstrate in our evaluation. HARVEY substantially outperforms related approaches across attack types, datasets, and architectures, lowering the attack success rate to the very minimum at a negligible loss in natural accuracy. The figure below shows an overview of our methods working principle.

顶级标签: machine learning model training
详细标签: backdoor attack defense data poisoning anti-backdoor learning 或 搜索:

一枚硬币的两面:学习后门以移除后门 / Two Sides of the Same Coin: Learning the Backdoor to Remove the Backdoor


1️⃣ 一句话总结

本文提出一种名为HARVEY的新型防御方法,通过主动学习并识别模型中的后门样本(即被恶意修改的数据),而不是像以往方法那样试图识别正常样本,从而更准确、更彻底地清除后门攻击,且几乎不损害模型在正常任务上的表现。

源自 arXiv: 2607.05748