English

Quantization Blindspots: How Model Compression Breaks Backdoor Defenses

Machine Learning 2025-12-09 v1 Cryptography and Security

Abstract

Backdoor attacks embed input-dependent malicious behavior into neural networks while preserving high clean accuracy, making them a persistent threat for deployed ML systems. At the same time, real-world deployments almost never serve full-precision models: post-training quantization to INT8 or lower precision is now standard practice for reducing memory and latency. This work asks a simple question: how do existing backdoor defenses behave under standard quantization pipelines? We conduct a systematic empirical study of five representative defenses across three precision settings (FP32, INT8 dynamic, INT4 simulated) and two standard vision benchmarks using a canonical BadNet attack. We observe that INT8 quantization reduces the detection rate of all evaluated defenses to 0% while leaving attack success rates above 99%. For INT4, we find a pronounced dataset dependence: Neural Cleanse remains effective on GTSRB but fails on CIFAR-10, even though backdoors continue to survive quantization with attack success rates above 90%. Our results expose a mismatch between how defenses are commonly evaluated (on FP32 models) and how models are actually deployed (in quantized form), and they highlight quantization robustness as a necessary axis in future evaluations and designs of backdoor defenses.

Keywords

Cite

@article{arxiv.2512.06243,
  title  = {Quantization Blindspots: How Model Compression Breaks Backdoor Defenses},
  author = {Rohan Pandey and Eric Ye},
  journal= {arXiv preprint arXiv:2512.06243},
  year   = {2025}
}

Comments

10 pages

R2 v1 2026-07-01T08:12:41.644Z