A More algorithmic details and analysis on the proposed method

We summarize the SD module in Algorithm 1. We omit some algorithmic details and state the SD module in Algorithm 1 for an easy understanding. Here, we continue to elaborate our mechanism in Algorithm 2. The main supplement is the step of ASR is already higher than 90%. However, it doesn't work under clean-label attacks (shown in Figure 1(c,f)) since poisoned samples are mixed up with clean samples. Then, we reuse the SD module and find that clean and poisoned samples can be well separated.