Timezone: »
Poster
Rethinking Backdoor Attacks
Alaa Khaddaj · Guillaume Leclerc · Aleksandar Makelov · Kristian Georgiev · Hadi Salman · Andrew Ilyas · Aleksander Madry
In a backdoor attack, an adversary inserts maliciously constructed backdoor examples into a training set to make the resulting model vulnerable to manipulation. Defending against such attacks involves viewing inserted examples as outliers in the training set and using techniques from robust statistics to detect and remove them. In this work, we present a different approach to the backdoor attack problem. Specifically, we show that without structural information about the training data distribution, backdoor attacks are indistinguishable from naturally-occuring features in the data---and thus impossible to "detect" in a general sense. Then, guided by this observation, we revisit existing defenses against backdoor attacks and characterize the (often latent) assumptions they make, and on which they depend. Finally, we explore an alternative perspective on backdoor attacks: one that assumes these attacks correspond to the strongest feature in the training data. Under this assumption (which we make formal) we develop a new primitive for detecting backdoor attacks. Our primitive naturally gives rise to a detection algorithm that comes with theoretical guarantees, and is effective in practice.
Author Information
Alaa Khaddaj (MIT)
Guillaume Leclerc (MIT)
Aleksandar Makelov (Massachusetts Institute of Technology)
Kristian Georgiev (MIT)
Hadi Salman (OpenAI / MIT)
Andrew Ilyas (MIT)
Aleksander Madry (MIT)
More from the Same Authors
-
2022 : A Game-Theoretic Perspective on Trust in Recommendation »
Sarah Cen · Andrew Ilyas · Aleksander Madry -
2023 : ModelDiff: A Framework for Comparing Learning Algorithms »
Harshay Shah · Sung Min (Sam) Park · Andrew Ilyas · Aleksander Madry -
2023 : Dataset Interfaces: Diagnosing Model Failures Using Controllable Counterfactual Generation »
Joshua Vendrow · Saachi Jain · Logan Engstrom · Aleksander Madry -
2023 : What Works in Chest X-Ray Classification? A Case Study of Design Choices »
Evan Vogelbaum · Logan Engstrom · Aleksander Madry -
2023 : The Journey, Not the Destination: How Data Guides Diffusion Models »
Kristian Georgiev · Joshua Vendrow · Hadi Salman · Sung Min (Sam) Park · Aleksander Madry -
2023 : Paper Spotlights »
Andrew Ilyas · Alizée Pace · Ji Won Park · Adam Breitholtz · Nari Johnson -
2023 Poster: TRAK: Attributing Model Behavior at Scale »
Sung Min (Sam) Park · Kristian Georgiev · Andrew Ilyas · Guillaume Leclerc · Aleksander Madry -
2023 Oral: TRAK: Attributing Model Behavior at Scale »
Sung Min (Sam) Park · Kristian Georgiev · Andrew Ilyas · Guillaume Leclerc · Aleksander Madry -
2023 Poster: ModelDiff: A Framework for Comparing Learning Algorithms »
Harshay Shah · Sung Min (Sam) Park · Andrew Ilyas · Aleksander Madry -
2023 Oral: Raising the Cost of Malicious AI-Powered Image Editing »
Hadi Salman · Alaa Khaddaj · Guillaume Leclerc · Andrew Ilyas · Aleksander Madry -
2023 Poster: Raising the Cost of Malicious AI-Powered Image Editing »
Hadi Salman · Alaa Khaddaj · Guillaume Leclerc · Andrew Ilyas · Aleksander Madry -
2022 : Panel discussion »
Steffen Schneider · Aleksander Madry · Alexei Efros · Chelsea Finn · Soheil Feizi -
2022 : Dr. Aleksander Madry's Talk »
Aleksander Madry -
2022 : Invited Talk 1: Aleksander Mądry »
Aleksander Madry -
2022 Poster: Implicit Bias of Linear Equivariant Networks »
Hannah Lawrence · Bobak T Kiani · Kristian Georgiev · Andrew Dienes -
2022 Poster: Datamodels: Understanding Predictions with Data and Data with Predictions »
Andrew Ilyas · Sung Min (Sam) Park · Logan Engstrom · Guillaume Leclerc · Aleksander Madry -
2022 Poster: Adversarially trained neural representations are already as robust as biological neural representations »
Chong Guo · Michael Lee · Guillaume Leclerc · Joel Dapello · Yug Rao · Aleksander Madry · James DiCarlo -
2022 Oral: Adversarially trained neural representations are already as robust as biological neural representations »
Chong Guo · Michael Lee · Guillaume Leclerc · Joel Dapello · Yug Rao · Aleksander Madry · James DiCarlo -
2022 Spotlight: Datamodels: Understanding Predictions with Data and Data with Predictions »
Andrew Ilyas · Sung Min (Sam) Park · Logan Engstrom · Guillaume Leclerc · Aleksander Madry -
2022 Spotlight: Implicit Bias of Linear Equivariant Networks »
Hannah Lawrence · Bobak T Kiani · Kristian Georgiev · Andrew Dienes -
2022 Poster: Combining Diverse Feature Priors »
Saachi Jain · Dimitris Tsipras · Aleksander Madry -
2022 Spotlight: Combining Diverse Feature Priors »
Saachi Jain · Dimitris Tsipras · Aleksander Madry -
2021 : Invited Talk #4 »
Aleksander Madry -
2021 Poster: Leveraging Sparse Linear Layers for Debuggable Deep Networks »
Eric Wong · Shibani Santurkar · Aleksander Madry -
2021 Oral: Leveraging Sparse Linear Layers for Debuggable Deep Networks »
Eric Wong · Shibani Santurkar · Aleksander Madry -
2020 Poster: From ImageNet to Image Classification: Contextualizing Progress on Benchmarks »
Dimitris Tsipras · Shibani Santurkar · Logan Engstrom · Andrew Ilyas · Aleksander Madry -
2020 Poster: Identifying Statistical Bias in Dataset Replication »
Logan Engstrom · Andrew Ilyas · Shibani Santurkar · Dimitris Tsipras · Jacob Steinhardt · Aleksander Madry -
2019 Workshop: Identifying and Understanding Deep Learning Phenomena »
Hanie Sedghi · Samy Bengio · Kenji Hata · Aleksander Madry · Ari Morcos · Behnam Neyshabur · Maithra Raghu · Ali Rahimi · Ludwig Schmidt · Ying Xiao -
2019 : Panel Discussion (Nati Srebro, Dan Roy, Chelsea Finn, Mikhail Belkin, Aleksander Mądry, Jason Lee) »
Nati Srebro · Daniel Roy · Chelsea Finn · Mikhail Belkin · Aleksander Madry · Jason Lee -
2019 : Keynote by Aleksander Mądry: Are All Features Created Equal? »
Aleksander Madry -
2019 Poster: Exploring the Landscape of Spatial Robustness »
Logan Engstrom · Brandon Tran · Dimitris Tsipras · Ludwig Schmidt · Aleksander Madry -
2019 Oral: Exploring the Landscape of Spatial Robustness »
Logan Engstrom · Brandon Tran · Dimitris Tsipras · Ludwig Schmidt · Aleksander Madry -
2018 Poster: On the Limitations of First-Order Approximation in GAN Dynamics »
Jerry Li · Aleksander Madry · John Peebles · Ludwig Schmidt -
2018 Oral: On the Limitations of First-Order Approximation in GAN Dynamics »
Jerry Li · Aleksander Madry · John Peebles · Ludwig Schmidt -
2018 Poster: Black-box Adversarial Attacks with Limited Queries and Information »
Andrew Ilyas · Logan Engstrom · Anish Athalye · Jessy Lin -
2018 Oral: Black-box Adversarial Attacks with Limited Queries and Information »
Andrew Ilyas · Logan Engstrom · Anish Athalye · Jessy Lin -
2018 Poster: Synthesizing Robust Adversarial Examples »
Anish Athalye · Logan Engstrom · Andrew Ilyas · Kevin Kwok -
2018 Poster: A Classification-Based Study of Covariate Shift in GAN Distributions »
Shibani Santurkar · Ludwig Schmidt · Aleksander Madry -
2018 Oral: Synthesizing Robust Adversarial Examples »
Anish Athalye · Logan Engstrom · Andrew Ilyas · Kevin Kwok -
2018 Oral: A Classification-Based Study of Covariate Shift in GAN Distributions »
Shibani Santurkar · Ludwig Schmidt · Aleksander Madry