CBPF: A Novel Method for Filtering Poisoned Data Based on Composite Backdoor Attacks

Backdoor attacks involve the injection of a limited quantity of poisoned samples containing triggers into the training dataset. During the inference stage, backdoor attacks can uphold a high level of accuracy for normal examples, yet when presented with trigger-containing instances, the model may erroneously predict them as the targeted class designated by the attacker. This article addresses the challenge of backdoor attacks by developing a novel method for filtering poisoned samples. We primarily leverage two key characteristics of backdoor attacks: 1) Multiple backdoors can exist simultaneously within a single model and 2) The discovery through composite backdoor attack (CBA) that altering two triggers in a sample to new target labels does not compromise the original functionality of the triggers, yet enables the prediction of the data as a new target class when both triggers are present simultaneously. Therefore, a novel three-stage poisoning data filtering approach, known as composite backdoor poisoning filtering (CBPF), is proposed as an effective solution. First, utilizing the identified distinctions in output between poisoned and clean samples, a subset of data is partitioned to include both poisoned and clean data. Subsequently, benign triggers are incorporated and labels are adjusted to create new target and benign target classes, thereby prompting the poisoned and clean data to be classified as distinct entities during the inference stage. The experimental results indicate that CBPF is successful in filtering out poisoned data produced by seven advanced attacks on CIFAR-10, GTSRB and ImageNet-12. On average, CBPF attains a notable filtering success rate of 99.88% for these attacks on CIFAR-10. Additionally, the model trained on the uncontaminated samples exhibits sustained high accuracy levels.