Rethinking Backdoor Adversarial Unlearning through the Lens of Catastrophic Forgetting in Continual Learning
Researchers have proposed novel approaches to addressing security concerns in machine learning models, including a method to eliminate backdoor effects and a challenge to the assumption that high-fidelity surrogate models provide economic leverage.
A team of researchers has presented a new method, Blind Inversion-Backdoor Adversarial Unlearning (BI-BAU), to completely eliminate backdoor effects in machine learning models. According to their study published on arXiv[1], current backdoor defenses exhibit limited robustness and often fail against specific types of attacks. The proposed BI-BAU method formulates the generation of adversarial examples as a blind inversion problem and integrates bi-level optimization into an Expectation-Maximization algorithm framework. The researchers claim that BI-BAU can effectively and thoroughly eliminate backdoor effects from a compromised model. In a separate study also published on arXiv[2], researchers challenged the conventional wisdom that high-fidelity surrogate models obtained through model stealing attacks provide economic leverage comparable to original service providers. They evaluated model stealing attacks beyond mere fidelity to the target model and found that surrogate models can display significant variances in critical performance metrics. The researchers used multiplicity metrics and group fairness metrics to evaluate the diversity of surrogate models, suggesting that the economic leverage of surrogate models may be overstated.
safety-researchtool-releaseresearch-papercommentary
Background sources we checked (1)
- arxiv.org ↗ Existing studies reveal that current backdoor defenses exhibit limited robustness and often fail against specific types of attacks. More concerningly, prevailing safety tuning strategies tend to provide only superficial safety protection, as they fall short of completely eliminat…