On the Effectiveness of Adversarial Training Against Backdoor Attacks

Although adversarial training (AT) is regarded as a potential defense against backdoor attacks, AT and its variants have only yielded unsatisfactory results or have even inversely strengthened backdoor attacks. The large discrepancy between expectations and reality motivates us to thoroughly evaluate the effectiveness of AT against backdoor attacks across various settings for AT and backdoor attacks. We find that the type and budget of perturbations used in AT are important, and AT with common perturbations is only effective for certain backdoor trigger patterns. Based on these empirical findings, we present some practical suggestions for backdoor defense, including relaxed adversarial perturbation and composite AT. This work not only boosts our confidence in AT's ability to defend against backdoor attacks but also provides some important insights for future research.

Automated summary

Although adversarial training (AT) has been considered as a potential defense against backdoor attacks, it has not yielded satisfactory results and has even strengthened backdoor attacks in some cases. This motivates a comprehensive evaluation of the effectiveness of AT against backdoor attacks in various settings. The research finds that the type and budget of perturbations used in AT are crucial factors, and common perturbations in AT are only effective for specific backdoor trigger patterns. Based on these findings, practical suggestions for backdoor defense, such as relaxed adversarial perturbation and composite AT, are presented. This work not only enhances confidence in AT's ability to defend against backdoor attacks but also provides valuable insights for future research.