ML Security PapersIsolate Trigger: Detecting and Eliminating Adaptive Backdoor Attacks
Chengrui Sun 1, Hua Zhang 1, Haoran Gao 2, Shang Wang 3, Zian Tian 1, Jianjin Zhao 1, Qi Li 1, Hongliang Zhu 1, Zongliang Shen 1, Anmin Fu 4
1 Beijing University of Posts and Telecommunications
2 China Mobile Research Institute
Published on arXiv
2508.04094
Model Poisoning
OWASP ML Top 10 — ML10
Key Finding
IsTr achieves over 95% backdoor detection accuracy and reduces post-repair attack success rate below 3%, outperforming seven state-of-the-art defenses while reducing detection overhead by an order of magnitude.
IsTr (Isolate Trigger)
Novel technique introduced
Deep learning models are widely deployed in various applications but remain vulnerable to stealthy adversarial threats, particularly backdoor attacks. Backdoor models trained on poisoned datasets behave normally with clean inputs but cause mispredictions when a specific trigger is present. Most existing backdoor defenses assume that adversaries only inject one backdoor with small and conspicuous triggers. However, adaptive backdoor that entangle multiple trigger patterns with benign features can effectively bypass existing defenses. To defend against these attacks, we propose Isolate Trigger (IsTr), an accurate and efficient framework for backdoor detection and mitigation. IsTr aims to eliminate the influence of benign features and reverse hidden triggers. IsTr is motivated by the observation that a model's feature extractor focuses more on benign features while its classifier focuses more on trigger patterns. Based on this difference, IsTr designs Steps and Differential-Middle-Slice to resolve the detecting challenge of isolating triggers from benign features. Moreover, IsTr employs unlearning-based repair to remove both attacker-injected and natural backdoors while maintaining model benign accuracy. We extensively evaluate IsTr against six representative backdoor attacks and compare with seven state-of-the-art baseline methods across three real-world applications: digit recognition, face recognition, and traffic sign recognition. In most cases, IsTr reduces detection overhead by an order of magnitude while achieving over 95\% detection accuracy and maintaining the post-repair attack success rate below 3\%, outperforming baseline defenses. IsTr remains robust against various adaptive attacks, even when trigger patterns are heavily entangled with benign features.
Key Contributions
- Steps and Differential-Middle-Slice technique that exploits the difference between feature extractor (benign feature focus) and classifier (trigger focus) to isolate backdoor triggers from benign features
- Unlearning-based repair mechanism that removes both attacker-injected and natural backdoors while preserving clean accuracy
- Evaluation across six backdoor attacks and seven baselines showing >95% detection accuracy, <3% post-repair attack success rate, and order-of-magnitude reduction in detection overhead
🛡️ Threat Analysis
Paper's entire contribution is defending against backdoor/trojan attacks — models with hidden triggers that activate on specific inputs to cause mispredictions. IsTr detects and mitigates these hidden backdoors, including adaptive variants that entangle triggers with benign features.