Detecting backdoor attacks using exclusionary reclassification

Assignee

• International Business Machines Corporation · US

Inventors

• Nathalie Baracaldo Angel · San Jose, US
• Bryant Chen · San Jose, US
• Heiko H. Ludwig · San Francisco, US

Key dates

Classification

• Technology area (CPC G)Physics
• CPC primaryG06V10/7753
• WIPO fieldComputer technology
• WIPO sectorElectrical engineering

Abstract

Embodiments relate to a system, program product, and method for processing an untrusted data set to automatically determine which data points there are poisonous. A neural network is trained network using potentially poisoned training data. Each of the training data points is classified using the network to retain the activations of at least one hidden layer, and segment those activations by the label of corresponding training data. Clustering is applied to the retained activations of each segment, and a clustering assessment is conducted to remove an identified cluster from the data set, form a new training set, and train a second neural model with the new training set. The removed cluster and corresponding data are applied to the trained second neural model to analyze and classify data in the removed cluster as either legitimate or poisonous.