Exposing Backdoors in Robust Machine Learning Models

The introduction of robust optimisation has pushed the state-of-the-art in defending against adversarial attacks. However, the behaviour of such optimisation has not been studied in the light of a fundamentally different class of attacks called backdoors. In this paper, we demonstrate that adversarially robust models are susceptible to backdoor attacks. Subsequently, we observe that backdoors are reflected in the feature representation of such models. Then, this observation is leveraged to detect backdoor-infected models via a detection technique called AEGIS. Specifically, AEGIS uses feature clustering to effectively detect backdoor-infected robust Deep Neural Networks (DNNs). In our evaluation of several visible and hidden backdoor triggers on major classification tasks using CIFAR-10, MNIST and FMNIST datasets, AEGIS effectively detects robust DNNs infected with backdoors. AEGIS detects a backdoor-infected model with 91.6% accuracy, without any false positives. Furthermore, AEGIS detects the targeted class in the backdoor-infected model with a reasonably low (11.1%) false positive rate. Our investigation reveals that salient features of adversarially robust DNNs break the stealthy nature of backdoor attacks.