English

Backdoor Learning Curves: Explaining Backdoor Poisoning Beyond Influence Functions

Machine Learning 2024-12-17 v4 Cryptography and Security

Abstract

Backdoor attacks inject poisoning samples during training, with the goal of forcing a machine learning model to output an attacker-chosen class when presented a specific trigger at test time. Although backdoor attacks have been demonstrated in a variety of settings and against different models, the factors affecting their effectiveness are still not well understood. In this work, we provide a unifying framework to study the process of backdoor learning under the lens of incremental learning and influence functions. We show that the effectiveness of backdoor attacks depends on: (i) the complexity of the learning algorithm, controlled by its hyperparameters; (ii) the fraction of backdoor samples injected into the training set; and (iii) the size and visibility of the backdoor trigger. These factors affect how fast a model learns to correlate the presence of the backdoor trigger with the target class. Our analysis unveils the intriguing existence of a region in the hyperparameter space in which the accuracy on clean test samples is still high while backdoor attacks are ineffective, thereby suggesting novel criteria to improve existing defenses.

Keywords

Cite

@article{arxiv.2106.07214,
  title  = {Backdoor Learning Curves: Explaining Backdoor Poisoning Beyond Influence Functions},
  author = {Antonio Emanuele Cinà and Kathrin Grosse and Sebastiano Vascon and Ambra Demontis and Battista Biggio and Fabio Roli and Marcello Pelillo},
  journal= {arXiv preprint arXiv:2106.07214},
  year   = {2024}
}

Comments

Preprint; Paper accepted at International Journal of Machine Learning and Cybernetics; 25 pages

R2 v1 2026-06-24T03:09:39.531Z