A General Framework for Defending Against Backdoor Attacks via Influence Graph

We introduce the notion of the influence graph, which consists of nodes and edges respectively representative of individual training points and associated pair-wise influences. The influence between a pair of training points represents the impact of removing one training point on the prediction of another, approximated by the influence function (Koh & Liang, 2017). Malicious training points are extracted by finding the maximum average sub-graph subject to a particular size. Extensive experiments on computer vision and natural language processing tasks demonstrate the effectiveness and generality of the proposed framework. Deep neural models are susceptible to backdoor attacks, which hack the model by injecting triggers to the input and alters the output to a target label (Gu et al., 2017; Chen et al., 2017; 2020). Consequently, the model will behave normally on clean data, but make incorrect predictions when encountering attacked data embedded with hidden triggers.