ML Security PapersKill it with FIRE: On Leveraging Latent Space Directions for Runtime Backdoor Mitigation in Deep Neural Networks
Enrico Ahlers 1, Daniel Passon 1, Yannic Noller 2, Lars Grunske 1
Published on arXiv
2602.10780
Model Poisoning
OWASP ML Top 10 — ML10
Key Finding
FIRE outperforms current runtime backdoor mitigations on image benchmarks across various attacks, datasets, and network architectures with low computational overhead.
FIRE (Feature-space Inference-time REpair)
Novel technique introduced
Machine learning models are increasingly present in our everyday lives; as a result, they become targets of adversarial attackers seeking to manipulate the systems we interact with. A well-known vulnerability is a backdoor introduced into a neural network by poisoned training data or a malicious training process. Backdoors can be used to induce unwanted behavior by including a certain trigger in the input. Existing mitigations filter training data, modify the model, or perform expensive input modifications on samples. If a vulnerable model has already been deployed, however, those strategies are either ineffective or inefficient. To address this gap, we propose our inference-time backdoor mitigation approach called FIRE (Feature-space Inference-time REpair). We hypothesize that a trigger induces structured and repeatable changes in the model's internal representation. We view the trigger as directions in the latent spaces between layers that can be applied in reverse to correct the inference mechanism. Therefore, we turn the backdoored model against itself by manipulating its latent representations and moving a poisoned sample's features along the backdoor directions to neutralize the trigger. Our evaluation shows that FIRE has low computational overhead and outperforms current runtime mitigations on image benchmarks across various attacks, datasets, and network architectures.
Key Contributions
- Hypothesis and empirical validation that backdoor triggers induce consistent, structured directions in a model's latent spaces across multiple layers
- FIRE: a lightweight inference-time mitigation that moves poisoned samples' latent representations along reversed backdoor directions to restore correct predictions without modifying model weights or requiring retraining
- Evaluation showing FIRE outperforms existing runtime backdoor mitigations across various attacks, datasets, and architectures with low computational overhead
🛡️ Threat Analysis
FIRE directly defends against backdoor/trojan attacks by identifying trigger-induced directions in latent space and reversing them at inference time to neutralize poisoned samples — the canonical ML10 threat.