Pith. sign in

REVIEW 15 cited by

Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering

Not yet reviewed by Pith; the record is open.

This paper has not been read by Pith yet. Machine review is queued; the pith claim, tier, and objections will appear here once it completes.

SPECIMEN: schema-true, not a live event

T0 review · schema-true

One-sentence machine reading of the paper's core claim.

pith:XXXXXXXX · record.json · timestamp

arxiv 1811.03728 v1 pith:V223C7FM submitted 2018-11-09 cs.LG cs.CRstat.ML

Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering

classification cs.LG cs.CRstat.ML
keywords modelbackdoorattackdatadetectingmodelsnetworksneural
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved
0 comments
read the original abstract

While machine learning (ML) models are being increasingly trusted to make decisions in different and varying areas, the safety of systems using such models has become an increasing concern. In particular, ML models are often trained on data from potentially untrustworthy sources, providing adversaries with the opportunity to manipulate them by inserting carefully crafted samples into the training set. Recent work has shown that this type of attack, called a poisoning attack, allows adversaries to insert backdoors or trojans into the model, enabling malicious behavior with simple external backdoor triggers at inference time and only a blackbox perspective of the model itself. Detecting this type of attack is challenging because the unexpected behavior occurs only when a backdoor trigger, which is known only to the adversary, is present. Model users, either direct users of training data or users of pre-trained model from a catalog, may not guarantee the safe operation of their ML-based system. In this paper, we propose a novel approach to backdoor detection and removal for neural networks. Through extensive experimental results, we demonstrate its effectiveness for neural networks classifying text and images. To the best of our knowledge, this is the first methodology capable of detecting poisonous data crafted to insert backdoors and repairing the model that does not require a verified and trusted dataset.

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Forward citations

Cited by 15 Pith papers

Reviewed papers in the Pith corpus that reference this work. Sorted by Pith novelty score.

  1. TimeGuard: Channel-wise Pool Training for Backdoor Defense in Time Series Forecasting

    cs.CR 2026-05 unverdicted novelty 7.0

    TimeGuard defends time series forecasting against backdoors via channel-wise pool training initialized by time-aware criteria and expanded with distance-regularized loss selection, improving poisoned MAE by 1.96x whil...

  2. McNdroid: A Longitudinal Multimodal Benchmark for Robust Drift Detection in Android Malware

    cs.CR 2026-05 unverdicted novelty 7.0

    McNdroid is a new longitudinal multimodal benchmark showing that Android malware detectors degrade over time but multimodal approaches maintain better performance across long temporal gaps.

  3. Undetectable Backdoors in Model Parameters: Hiding Sparse Secrets in High Dimensions

    cs.CR 2026-05 unverdicted novelty 7.0

    Sparse Backdoor plants a provably undetectable backdoor in neural network weights via structured sparse perturbations and isotropic Gaussian dithering, with detection hardness reduced to Sparse PCA.

  4. Follow My Eyes: Backdoor Attacks on Goal-Directed Scanpath Prediction

    cs.CR 2026-04 conditional novelty 7.0

    Backdoor attacks on VLM-based scanpath predictors can redirect fixations toward chosen objects or inflate durations using input-conditioned triggers that evade cluster detection, and no tested defense blocks them with...

  5. Detect, Unlearn, Restore: Defending Text Summarization Models Against Data Poisoning

    cs.CL 2026-06 unverdicted novelty 6.0

    A unified detection and unlearning framework identifies and mitigates data poisoning in summarization models, achieving 85-92% detection and up to 96% behavior restoration across multiple architectures.

  6. SCRUB-FL: Sanitizing and Cleansing Representations via Unlearning of Backdoors

    cs.LG 2026-06 unverdicted novelty 6.0

    SCRUB-FL uses client spectral analysis and WGAN-GP to model suspicious patterns during FL training, aggregates generators server-side, then synthesizes triggers and applies unlearning to reduce backdoor success rates ...

  7. Mirage: a Clean-Label Backdoor against LiDAR 3D Object Detection

    cs.CV 2026-06 unverdicted novelty 6.0

    Mirage achieves 73% misclassification success on LiDAR 3DOD models with 0.5% poisoning rate via label-consistent trigger injection.

  8. TimeGuard: Channel-wise Pool Training for Backdoor Defense in Time Series Forecasting

    cs.CR 2026-05 unverdicted novelty 6.0

    TimeGuard employs channel-wise pool training initialized with time-aware criteria and distance-regularized loss selection to defend time series forecasting against backdoor attacks, improving robustness by 1.96x while...

  9. DETOUR: A Practical Backdoor Attack against Object Detection

    cs.CR 2026-04 unverdicted novelty 6.0

    DETOUR enables practical backdoor attacks on object detectors by training with rescaled semantic triggers from real-world objects placed at multiple locations to exploit the trigger radiating effect for reliable activ...

  10. CSC: Turning the Adversary's Poison against Itself

    cs.CR 2026-04 unverdicted novelty 6.0

    CSC identifies backdoored samples via early-epoch latent clustering and conceals them by relabeling to a virtual class, driving attack success rates near zero on benchmarks with little clean accuracy loss.

  11. PASTA: A Patch-Agnostic Twofold-Stealthy Backdoor Attack on Vision Transformers

    cs.CV 2026-04 unverdicted novelty 6.0

    PASTA enables patch-agnostic backdoor activation in ViTs via multi-location trigger insertion during training and bi-level optimization, achieving 99.13% average attack success with large gains in visual/attention ste...

  12. A Patch-based Cross-view Regularized Framework for Backdoor Defense in Multimodal Large Language Models

    cs.CV 2026-04 unverdicted novelty 5.0

    A patch-augmented cross-view regularization method reduces backdoor attack success rates in multimodal LLMs by enforcing output differences between original and perturbed views while using entropy constraints to prese...

  13. Clustering Unsupervised Representations as Defense against Poisoning Attacks on Speech Commands Classification System

    cs.SD 2026-06 unverdicted novelty 4.0

    Clustering DINO representations via K-means and LDA filters poisoned speech samples, reducing attack success rate from 99.75% to 0.25% at 10% poisoning level.

  14. DeepSeek Robustness Against Semantic-Character Dual-Space Mutated Prompt Injection

    cs.CR 2026-04 unverdicted novelty 4.0

    Dual-space semantic-character mutations on prompts achieve higher misuse success rates against DeepSeek than single-space attacks alone.

  15. TCAP: Tri-Component Attention Profiling for Unsupervised Backdoor Detection in MLLM Fine-Tuning

    cs.AI 2026-01 unverdicted novelty 4.0

    TCAP detects backdoor samples in MLLM fine-tuning via tri-component attention profiling, GMM-based head identification, and EM vote aggregation.