Modern machine learning (ML) systems demand substantial training data, often
resorting to external sources. Nevertheless, this practice renders them
vulnerable to backdoor poisoning attacks. Prior backdoor defense strategies
have primarily focused on the identification of backdoored models or poisoned
data characteristics, typically operating under the assumption of access to
clean data. In this work, we delve into a relatively underexplored challenge:
the automatic identification of backdoor data within a poisoned dataset, all
under realistic conditions, i.e., without the need for additional clean data or
without manually defining a threshold for backdoor detection. We draw an
inspiration from the scaled prediction consistency (SPC) technique, which
exploits the prediction invariance of poisoned data to an input scaling factor.
Based on this, we pose the backdoor data identification problem as a
hierarchical data splitting optimization problem, leveraging a novel SPC-based
loss function as the primary optimization objective. Our innovation unfolds in
several key aspects. First, we revisit the vanilla SPC method, unveiling its
limitations in addressing the proposed backdoor identification problem.
Subsequently, we develop a bi-level optimization-based approach to precisely
identify backdoor data by minimizing the advanced SPC loss. Finally, we
demonstrate the efficacy of our proposal against a spectrum of backdoor
attacks, encompassing basic label-corrupted attacks as well as more
sophisticated clean-label attacks, evaluated across various benchmark datasets.
Experiment results show that our approach often surpasses the performance of
current baselines in identifying backdoor data points, resulting in about
4%-36% improvement in average AUROC. Codes are available at
this https URL

现代机器学习（ML）系统需要大量的训练数据，但常常需要使用外部数据源。然而，这种做法使它们容易受到后门污染攻击的威胁。本文关注一个相对未被深入研究的挑战：在一个被污染的数据集中自动识别后门数据，且不需要额外的干净数据或手动定义后门检测的阈值。通过基于缩放预测一致性（SPC）技术，使得针对后门数据的识别问题成为一个分层数据分割优化问题，并利用一种新的基于 SPC 的损失函数作为主要优化目标。我们的创新体现在几个关键方面：首先，重新审视了传统的 SPC 方法，揭示了其在解决后门识别问题上的局限性。其次，我们基于双层优化的方法精确地识别后门数据，通过最小化改良版的 SPC 损失函数。最后，我们通过在不同基准数据集上评估各种基本标签污染攻击和更复杂的干净标签攻击，证明了我们的方法的有效性。实验结果显示，我们的方法在识别后门数据点方面常常优于当前基准线的性能，平均 AUROC 提高了约 4%-36%。源代码可在此网址获得：https://example.com