Detecting Poisoned Samples for Untargeted Backdoor Attacks

doi:10.3969/j.issn.1671-1122.2025.12.004

Abstract

Abstract:

Backdoor attacks, as an important way of data poisoning attacks, represent a significant threat to the reliability of datasets and the security of model training. Currently, the predominant defensive strategies are largely targeted-backdoor-attacks and lack of research on non-target backdoor attacks. This study, however, proposed a poisoned sample detection method for untargeted backdoor attacks. This method was to propose a black-box method based on predicted behavioral anomalies to detect potential untargeted backdoor examples. This method consisted of two modules: a poisoned-example-detection module based on predictive behavior anomalies, which detected suspicious examples based on the discrepancy inprediction behaviors betweenthe original and the reconstructed samples; and a diffusion-model-data-generation module for poisoned examples attacks, which generated a new dataset similar to the original dataset, and without triggers. The feasibility of the method is demonstrated through experiments involving different types of targetless backdoor attack and different generative models. The great potential and application value of generative models, especially diffusion models, in the field of backdoor detection and defense is also demonstrated.

Key words: data security, untargeted backdoor attacks, image recognition, generative models, deep learning

CLC Number:

TP309

PANG Shuchao, LI Zhengxiao, QU Junyi, MA Ruhao, CHEN Hechang, DU Anan. Detecting Poisoned Samples for Untargeted Backdoor Attacks[J]. Netinfo Security, 2025, 25(12): 1878-1888.

Figures/Tables 6

References 28

[1]	HE Zeping, XU Jian, DAI Hua, et al. A Review of Federated Learning Application Technologies[J]. Netinfo Security, 2024, 24(12): 1831-1844.
	何泽平, 许建, 戴华, 等. 联邦学习应用技术研究综述[J]. 信息网络安全, 2024, 24(12):1831-1844.
[2]	GU Huanhuan, LI Qianmu, LIU Zhen, et al. Research on Hidden Backdoor Prompt Attack Methods Based on False Demonstrations[J]. Netinfo Security, 2025, 25(4): 619-629.
	顾欢欢, 李千目, 刘臻, 等. 基于虚假演示的隐藏后门提示攻击方法研究[J]. 信息网络安全, 2025, 25(4):619-629.
[3]	YAN Yukun, TANG Peng, CHEN Rui, et al. A Randomness Enhanced Bi-Level Optimization Defense Method against Data Poisoning Backdoor Attacks[J]. Netinfo Security, 2025, 25(7): 1074-1091.
	闫宇坤, 唐朋, 陈睿, 等. 面向数据投毒后门攻击的随机性增强双层优化防御方法[J]. 信息网络安全, 2025, 25(7):1074-1091.
[4]	VICE J, AKHTAR N, HARTLEY R, et al. Bagm: A Backdoor Attack for Manipulating Text-To-Image Generative Models[J]. IEEE Transactions on Information Forensics and Security, 2024, 19: 4865-4880. doi: 10.1109/TIFS.2024.3386058 URL
[5]	WU Yi, CHEN Jiayi, LEI Tianbao, et al. Web 3.0 Security: Backdoor Attacks in Federated Learning-Based Automatic Speaker Verification Systems in the 6G Era[J]. Future Generation Computer Systems, 2024, 160: 433-441. doi: 10.1016/j.future.2024.06.022 URL
[6]	LIU Tao, ZHANG Yuhang, FENG Zhu, et al. Beyond Traditional Threats: A Persistent Backdoor Attack on Federated Learning[C]// AAAI. The AAAI Conference on Artificial Intelligence. Menlo Park: AAAI, 2024: 21359-21367.
[7]	LI Yiming, JIANG Yong, LI Zhifeng, et al. Backdoor Learning: A Survey[J]. IEEE Transactions on Neural Networks and Learning Systems, 2022, 35(1): 5-22. doi: 10.1109/TNNLS.2022.3182979 URL
[8]	QI Xiangyu, XIE Tinghao, WANG Jiachen, et al. Towards a Proactive ML Approach for Detecting Backdoor Poison Samples[C]// USENIX. The 32nd USENIX Security Symposium (USENIX Security 23). Berkeley: USENIX, 2023: 1685-1702.
[9]	GUO Junfeng, LI Yiming, CHEN Xun, et al. SCALE-UP: An Efficient Black-Box Input-Level Backdoor Detection via Analyzing Scaled Prediction Consistency[EB/OL]. (2023-02-19)[2025-09-10]. https://doi.org/10.48550/arXiv.2302.03251.
[10]	ZHANG Zihan, LAI Qingnan, ZHOU Changling. Survey on Fuzzing Test in Deep Learning Frameworks[J]. Netinfo Security, 2024, 24(10): 1528-1536.
	张子涵, 赖清楠, 周昌令. 深度学习框架模糊测试研究综述[J]. 信息网络安全, 2024, 24(10):1528-1536.
[11]	GU Tianyu, DOLAN-GAVITT B, GARG S. BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain[EB/OL]. (2019-03-11)[2025-09-10]. https://doi.org/10.48550/arXiv.1708.06733.
[12]	CHEN Xinyun, LIU Chang, LI Bo, et al. Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning[EB/OL]. (2017-12-15) [2025-09-10]. https://doi.org/10.48550/arXiv.1712.05526.
[13]	LI Yiming, BAI Yang, JIANG Yong, et al. Untargeted Backdoor Watermark: Towards Harmless and Stealthy Dataset Copyright Protection[J]. Advances in Neural Information Processing Systems, 2022, 35: 13238-13250.
[14]	TURNER A, TSIPRAS D, MADRY A. Label-Consistent Backdoor Attacks[EB/OL]. (2019-12-06)[2025-09-10]. https://doi.org/10.48550/arXiv.1912.02771.
[15]	LI Yuezun, LI Yiming, WU Baoyuan, et al. Invisible Backdoor Attack with Sample-Specific Triggers[C]// IEEE. The IEEE/CVF International Conference on Computer Vision (ICCV). New York: IEEE, 2021: 16463-16472.
[16]	HE Ke, WANG Jianhua, YU Dan, et al. Adaptive Sampling-Based Machine Unlearning Method[J]. Netinfo Security, 2025, 25(4): 630-639.
	何可, 王建华, 于丹, 等. 基于自适应采样的机器遗忘方法[J]. 信息网络安全, 2025, 25(4):630-639.
[17]	GUO Junfeng, LI Ang, LIU Cong. AEVA: Black-Box Backdoor Detection Using Adversarial Extreme Value Analysis[EB/OL]. (2022-04-24) [2025-09-10]. https://doi.org/10.48550/arXiv.2110.14880.
[18]	LI Yiming, ZHAI Tongqing, JIANG Yong, et al. Backdoor Attack in the Physical World[EB/OL]. (2021-04-24)[2025-09-10]. https://doi.org/10.48550/arXiv.2104.02361.
[19]	MIRZA M, OSINDERO S. Conditional Generative Adversarial Nets[EB/OL]. (2014-11-06)[2025-09-10]. https://doi.org/10.48550/arXiv.1411.1784.
[20]	RADFORD A, METZ L, CHINTALA S. Unsupervised Representation Learning with Deep Convolutional Generative Adversarial Networks[EB/OL]. (2016-01-07)[2025-09-10]. https://doi.org/10.48550/arXiv.1511.06434.
[21]	SOHN K, YAN Xinchen, LEE H. Learning Structured Output Representation Using Deep Conditional Generative Models[C]// NIPS. Advances in Neural Information Processing Systems (NIPS). Cambridge: MIT, 2015: 3483-3491.
[22]	VAN D O A, VINYALS O, KAVUKCUOGLU K. Neural Discrete Representation Learning[C]// NIPS. Advances in Neural Information Processing Systems (NIPS). Cambridge: MIT, 2017: 6309-6318.
[23]	HO J, JAIN A, ABBEEL P. Denoising Diffusion Probabilistic Models[C]// NIPS. Advances in Neural Information Processing Systems (NIPS). Cambridge: MIT, 2020: 6840-6851.
[24]	NICHOL A, DHARIWAL P, RAMESH A, et al. GLIDE: Towards Photorealistic Image Generation and Editing with Text-Guided Diffusion Models[EB/OL]. (2022-03-08)[2025-09-10]. https://doi.org/10.48550/arXiv.2112.10741.
[25]	ROMBACH R, BLATTMANN A, LORENZ D, et al. High-Resolution Image Synthesis with Latent Diffusion Models[C]// IEEE. The IEEE/CVF Conference on Computer Vision and Pattern Recognition. New York: IEEE, 2022: 10684-10695.
[26]	WANG Bolun, YAO Yuanshun, SHAN S, et al. Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks[C]// IEEE. 2019 IEEE Symposium on Security and Privacy (SP). New York: IEEE, 2019: 707-723.
[27]	CHEN B, CARVALHO W, BARACALDO N, et al. Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering[EB/OL]. (2018-11-09)[2025-09-10]. https://doi.org/10.48550/arXiv.1811.03728.
[28]	BANSAL A, BORGNIA E, CHU H M, et al. Cold Diffusion: Inverting Arbitrary Image Transforms without Noise[C]// NeurIPS. Advances in Neural Information Processing Systems (NeurIPS). Cambridge: MIT, 2023: 41259-41282.

后门类型	ACC	ASR	FPR	TPR
BadNets	91.47%	0	6.88%	100%
高斯噪声	91.95%	41.33%	6.51%	58.67%
Sig变换	93.08%	4.84%	5.76%	95.16%
图像融合	84.96%	15.79%	13.20%	84.21%

生成模型	ACC	ASR	FPR	TPR
DCGAN	64.29%	9.68%	29.74%	90.32%
VAEs	52.68%	19.35%	39.41%	80.65%
SD	93.08%	4.84%	5.76%	95.16%

防御方法	ACC	ASR	FPR	TPR
NC	88.31%	78.45%	14.82%	21.55%
AC	89.15%	82.10%	12.03%	17.90%
本文方法	93.08%	4.84%	5.76%	95.16%