DeBackdoor: A Deductive Framework for Detecting Backdoor Attacks on Deep Models with Limited Data

Dorde Popovic; Amin Sadeghi; Ting Yu; Sanjay Chawla; Issa Khalil

DeBackdoor: A Deductive Framework for Detecting Backdoor Attacks on Deep Models with Limited Data

Dorde Popovic
, Amin Sadeghi
, Ting Yu^*
, Sanjay Chawla
, Issa Khalil

^*Corresponding author for this work

Qatar Computing Research Institute

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

Abstract

Backdoor attacks are among the most effective, practical, and stealthy attacks in deep learning. In this paper, we consider a practical scenario where a developer obtains a deep model from a third party and uses it as part of a safety-critical system. The developer wants to inspect the model for potential backdoors prior to system deployment. We find that most existing detection techniques make assumptions that are not applicable to this scenario. In this paper, we present a novel framework for detecting backdoors under realistic restrictions. We generate candidate triggers by deductively searching over the space of possible triggers. We construct and optimize a smoothed version of Attack Success Rate as our search objective. Starting from a broad class of template attacks and just using the forward pass of a deep model, we reverse engineer the backdoor attack. We conduct extensive evaluation on a wide range of attacks, models, and datasets, with our technique performing almost perfectly across these settings.

Original language	English
Title of host publication	Proceedings of the 34th USENIX Security Symposium
Publisher	USENIX Association
Pages	6419-6438
Number of pages	20
ISBN (Electronic)	9781939133526
Publication status	Published - 2025
Event	34th USENIX Security Symposium, USENIX Security 2025 - Seattle, United States Duration: 13 Aug 2025 → 15 Aug 2025

Publication series

Name	Proceedings of the 34th USENIX Security Symposium

Conference

Conference	34th USENIX Security Symposium, USENIX Security 2025
Country/Territory	United States
City	Seattle
Period	13/08/25 → 15/08/25

Cite this

@inproceedings{41e40f3b6bb64b2499927e187429abd7,

title = "DeBackdoor: A Deductive Framework for Detecting Backdoor Attacks on Deep Models with Limited Data",

abstract = "Backdoor attacks are among the most effective, practical, and stealthy attacks in deep learning. In this paper, we consider a practical scenario where a developer obtains a deep model from a third party and uses it as part of a safety-critical system. The developer wants to inspect the model for potential backdoors prior to system deployment. We find that most existing detection techniques make assumptions that are not applicable to this scenario. In this paper, we present a novel framework for detecting backdoors under realistic restrictions. We generate candidate triggers by deductively searching over the space of possible triggers. We construct and optimize a smoothed version of Attack Success Rate as our search objective. Starting from a broad class of template attacks and just using the forward pass of a deep model, we reverse engineer the backdoor attack. We conduct extensive evaluation on a wide range of attacks, models, and datasets, with our technique performing almost perfectly across these settings.",

author = "Dorde Popovic and Amin Sadeghi and Ting Yu and Sanjay Chawla and Issa Khalil",

note = "Publisher Copyright: {\textcopyright} 2025 by The USENIX Association All Rights Reserved.; 34th USENIX Security Symposium, USENIX Security 2025 ; Conference date: 13-08-2025 Through 15-08-2025",

year = "2025",

language = "English",

series = "Proceedings of the 34th USENIX Security Symposium",

publisher = "USENIX Association",

pages = "6419--6438",

booktitle = "Proceedings of the 34th USENIX Security Symposium",

}

Popovic, D, Sadeghi, A, Yu, T, Chawla, S & Khalil, I 2025, DeBackdoor: A Deductive Framework for Detecting Backdoor Attacks on Deep Models with Limited Data. in Proceedings of the 34th USENIX Security Symposium. Proceedings of the 34th USENIX Security Symposium, USENIX Association, pp. 6419-6438, 34th USENIX Security Symposium, USENIX Security 2025, Seattle, United States, 13/08/25.

DeBackdoor: A Deductive Framework for Detecting Backdoor Attacks on Deep Models with Limited Data. / Popovic, Dorde; Sadeghi, Amin; Yu, Ting et al.
Proceedings of the 34th USENIX Security Symposium. USENIX Association, 2025. p. 6419-6438 (Proceedings of the 34th USENIX Security Symposium).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution › peer-review

TY - GEN

T1 - DeBackdoor

T2 - 34th USENIX Security Symposium, USENIX Security 2025

AU - Popovic, Dorde

AU - Sadeghi, Amin

AU - Yu, Ting

AU - Chawla, Sanjay

AU - Khalil, Issa

PY - 2025

Y1 - 2025

N2 - Backdoor attacks are among the most effective, practical, and stealthy attacks in deep learning. In this paper, we consider a practical scenario where a developer obtains a deep model from a third party and uses it as part of a safety-critical system. The developer wants to inspect the model for potential backdoors prior to system deployment. We find that most existing detection techniques make assumptions that are not applicable to this scenario. In this paper, we present a novel framework for detecting backdoors under realistic restrictions. We generate candidate triggers by deductively searching over the space of possible triggers. We construct and optimize a smoothed version of Attack Success Rate as our search objective. Starting from a broad class of template attacks and just using the forward pass of a deep model, we reverse engineer the backdoor attack. We conduct extensive evaluation on a wide range of attacks, models, and datasets, with our technique performing almost perfectly across these settings.

AB - Backdoor attacks are among the most effective, practical, and stealthy attacks in deep learning. In this paper, we consider a practical scenario where a developer obtains a deep model from a third party and uses it as part of a safety-critical system. The developer wants to inspect the model for potential backdoors prior to system deployment. We find that most existing detection techniques make assumptions that are not applicable to this scenario. In this paper, we present a novel framework for detecting backdoors under realistic restrictions. We generate candidate triggers by deductively searching over the space of possible triggers. We construct and optimize a smoothed version of Attack Success Rate as our search objective. Starting from a broad class of template attacks and just using the forward pass of a deep model, we reverse engineer the backdoor attack. We conduct extensive evaluation on a wide range of attacks, models, and datasets, with our technique performing almost perfectly across these settings.

UR - https://www.scopus.com/pages/publications/105021358854

M3 - Conference contribution

AN - SCOPUS:105021358854

T3 - Proceedings of the 34th USENIX Security Symposium

SP - 6419

EP - 6438

BT - Proceedings of the 34th USENIX Security Symposium

PB - USENIX Association

Y2 - 13 August 2025 through 15 August 2025

ER -

DeBackdoor: A Deductive Framework for Detecting Backdoor Attacks on Deep Models with Limited Data

Abstract

Publication series

Conference

Other files and links

Fingerprint

Cite this