BDEL: A Backdoor Attack Defense Method Based on Ensemble Learning

Zhihuan Xing; Yuqing Lan; Yin Yu; Yong Cao; Xiaoyi Yang; Yichun Yu; Dan Yu

doi:10.1007/978-981-96-0116-5_18

BDEL: A Backdoor Attack Defense Method Based on Ensemble Learning

Zhihuan Xing
, Yuqing Lan^*
, Yin Yu
, Yong Cao
, Xiaoyi Yang^*
, Yichun Yu
, Dan Yu

^*此作品的通讯作者

Beihang University
Beijing Institute of Technology
China Standard Intelligent Security Co., Ltd.

科研成果: 书/报告/会议事项章节 › 会议稿件 › 同行评审

摘要

Deep neural networks (DNNs) are susceptible to backdoor attacks. Previous researches have demonstrated the challenges in both removing poisoned samples from compromised datasets and repairing contaminated models. These difficulties arise as attackers employ adaptive strategies, enhancing the stealthiness of their attacks and thereby evading detection by defenders. To address these challenges, we propose BDEL, a defense method based on ensemble learning, aimed at enhancing the model intrinsic robustness against backdoor attacks. BDEL focuses on strengthening the model directly, thus avoiding the need for assumptions about the attackers. In addition, BDEL does not require the retention of a clean dataset and is compatible with any existing DNN. Specifically, we construct random subsets from the original dataset and train individual base classifiers on these subsets, each equipped with a different network architecture. During the training process of these base classifiers, a self-ensembling strategy is employed to enhance the intrinsic robustness of the model. To the best of our knowledge, we are the first to propose a method to enhance model robustness against backdoor attacks through self-ensembling. We evaluated BDEL against various types of backdoor attacks. The results demonstrate that BDEL is effective in defending against these attacks and achieves state-of-the-art performance.

源语言	英语
主期刊名	PRICAI 2024
主期刊副标题	Trends in Artificial Intelligence - 21st Pacific Rim International Conference on Artificial Intelligence, PRICAI 2024, Proceedings
编辑	Rafik Hadfi, Takayuki Ito, Patricia Anthony, Alok Sharma, Quan Bai
出版商	Springer Science and Business Media Deutschland GmbH
页	221-235
页数	15
ISBN（印刷版）	9789819601158
DOI	https://doi.org/10.1007/978-981-96-0116-5_18
出版状态	已出版 - 2025
活动	21st Pacific Rim International Conference on Artificial Intelligence, PRICAI 2024 - Kyoto, 日本期限: 18 11月 2024 → 24 11月 2024

出版系列

姓名	Lecture Notes in Computer Science
卷	15281 LNAI
ISSN（印刷版）	0302-9743
ISSN（电子版）	1611-3349

会议

会议	21st Pacific Rim International Conference on Artificial Intelligence, PRICAI 2024
国家/地区	日本
市	Kyoto
时期	18/11/24 → 24/11/24

访问文件

10.1007/978-981-96-0116-5_18

其它文件与链接

链接到 Scopus 的出版物

引用此

Xing, Z., Lan, Y., Yu, Y., Cao, Y., Yang, X., Yu, Y., & Yu, D. (2025). BDEL: A Backdoor Attack Defense Method Based on Ensemble Learning. 在 R. Hadfi, T. Ito, P. Anthony, A. Sharma, & Q. Bai (编辑), PRICAI 2024: Trends in Artificial Intelligence - 21st Pacific Rim International Conference on Artificial Intelligence, PRICAI 2024, Proceedings (页码 221-235). (Lecture Notes in Computer Science; 卷 15281 LNAI). Springer Science and Business Media Deutschland GmbH. https://doi.org/10.1007/978-981-96-0116-5_18

Xing, Zhihuan ; Lan, Yuqing ; Yu, Yin 等. / BDEL : A Backdoor Attack Defense Method Based on Ensemble Learning. PRICAI 2024: Trends in Artificial Intelligence - 21st Pacific Rim International Conference on Artificial Intelligence, PRICAI 2024, Proceedings. 编辑 / Rafik Hadfi ; Takayuki Ito ; Patricia Anthony ; Alok Sharma ; Quan Bai. Springer Science and Business Media Deutschland GmbH, 2025. 页码 221-235 (Lecture Notes in Computer Science).

@inproceedings{972d114065de4d768f4888a7babbca0b,

title = "BDEL: A Backdoor Attack Defense Method Based on Ensemble Learning",

abstract = "Deep neural networks (DNNs) are susceptible to backdoor attacks. Previous researches have demonstrated the challenges in both removing poisoned samples from compromised datasets and repairing contaminated models. These difficulties arise as attackers employ adaptive strategies, enhancing the stealthiness of their attacks and thereby evading detection by defenders. To address these challenges, we propose BDEL, a defense method based on ensemble learning, aimed at enhancing the model intrinsic robustness against backdoor attacks. BDEL focuses on strengthening the model directly, thus avoiding the need for assumptions about the attackers. In addition, BDEL does not require the retention of a clean dataset and is compatible with any existing DNN. Specifically, we construct random subsets from the original dataset and train individual base classifiers on these subsets, each equipped with a different network architecture. During the training process of these base classifiers, a self-ensembling strategy is employed to enhance the intrinsic robustness of the model. To the best of our knowledge, we are the first to propose a method to enhance model robustness against backdoor attacks through self-ensembling. We evaluated BDEL against various types of backdoor attacks. The results demonstrate that BDEL is effective in defending against these attacks and achieves state-of-the-art performance.",

keywords = "Backdoor attacks, Ensemble learning, Security of deep learning",

author = "Zhihuan Xing and Yuqing Lan and Yin Yu and Yong Cao and Xiaoyi Yang and Yichun Yu and Dan Yu",

note = "Publisher Copyright: {\textcopyright} The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.; 21st Pacific Rim International Conference on Artificial Intelligence, PRICAI 2024 ; Conference date: 18-11-2024 Through 24-11-2024",

year = "2025",

doi = "10.1007/978-981-96-0116-5\_18",

language = "英语",

isbn = "9789819601158",

series = "Lecture Notes in Computer Science",

publisher = "Springer Science and Business Media Deutschland GmbH",

pages = "221--235",

editor = "Rafik Hadfi and Takayuki Ito and Patricia Anthony and Alok Sharma and Quan Bai",

booktitle = "PRICAI 2024",

address = "德国",

}

Xing, Z, Lan, Y, Yu, Y, Cao, Y, Yang, X, Yu, Y & Yu, D 2025, BDEL: A Backdoor Attack Defense Method Based on Ensemble Learning. 在 R Hadfi, T Ito, P Anthony, A Sharma & Q Bai (编辑), PRICAI 2024: Trends in Artificial Intelligence - 21st Pacific Rim International Conference on Artificial Intelligence, PRICAI 2024, Proceedings. Lecture Notes in Computer Science, 卷 15281 LNAI, Springer Science and Business Media Deutschland GmbH, 页码 221-235, 21st Pacific Rim International Conference on Artificial Intelligence, PRICAI 2024, Kyoto, 日本, 18/11/24. https://doi.org/10.1007/978-981-96-0116-5_18

BDEL: A Backdoor Attack Defense Method Based on Ensemble Learning. / Xing, Zhihuan; Lan, Yuqing; Yu, Yin 等.
PRICAI 2024: Trends in Artificial Intelligence - 21st Pacific Rim International Conference on Artificial Intelligence, PRICAI 2024, Proceedings. 编辑 / Rafik Hadfi; Takayuki Ito; Patricia Anthony; Alok Sharma; Quan Bai. Springer Science and Business Media Deutschland GmbH, 2025. 页码 221-235 (Lecture Notes in Computer Science; 卷 15281 LNAI).

科研成果: 书/报告/会议事项章节 › 会议稿件 › 同行评审

TY - GEN

T1 - BDEL

T2 - 21st Pacific Rim International Conference on Artificial Intelligence, PRICAI 2024

AU - Xing, Zhihuan

AU - Lan, Yuqing

AU - Yu, Yin

AU - Cao, Yong

AU - Yang, Xiaoyi

AU - Yu, Yichun

AU - Yu, Dan

N1 - Publisher Copyright: © The Author(s), under exclusive license to Springer Nature Singapore Pte Ltd. 2025.

PY - 2025

Y1 - 2025

N2 - Deep neural networks (DNNs) are susceptible to backdoor attacks. Previous researches have demonstrated the challenges in both removing poisoned samples from compromised datasets and repairing contaminated models. These difficulties arise as attackers employ adaptive strategies, enhancing the stealthiness of their attacks and thereby evading detection by defenders. To address these challenges, we propose BDEL, a defense method based on ensemble learning, aimed at enhancing the model intrinsic robustness against backdoor attacks. BDEL focuses on strengthening the model directly, thus avoiding the need for assumptions about the attackers. In addition, BDEL does not require the retention of a clean dataset and is compatible with any existing DNN. Specifically, we construct random subsets from the original dataset and train individual base classifiers on these subsets, each equipped with a different network architecture. During the training process of these base classifiers, a self-ensembling strategy is employed to enhance the intrinsic robustness of the model. To the best of our knowledge, we are the first to propose a method to enhance model robustness against backdoor attacks through self-ensembling. We evaluated BDEL against various types of backdoor attacks. The results demonstrate that BDEL is effective in defending against these attacks and achieves state-of-the-art performance.

AB - Deep neural networks (DNNs) are susceptible to backdoor attacks. Previous researches have demonstrated the challenges in both removing poisoned samples from compromised datasets and repairing contaminated models. These difficulties arise as attackers employ adaptive strategies, enhancing the stealthiness of their attacks and thereby evading detection by defenders. To address these challenges, we propose BDEL, a defense method based on ensemble learning, aimed at enhancing the model intrinsic robustness against backdoor attacks. BDEL focuses on strengthening the model directly, thus avoiding the need for assumptions about the attackers. In addition, BDEL does not require the retention of a clean dataset and is compatible with any existing DNN. Specifically, we construct random subsets from the original dataset and train individual base classifiers on these subsets, each equipped with a different network architecture. During the training process of these base classifiers, a self-ensembling strategy is employed to enhance the intrinsic robustness of the model. To the best of our knowledge, we are the first to propose a method to enhance model robustness against backdoor attacks through self-ensembling. We evaluated BDEL against various types of backdoor attacks. The results demonstrate that BDEL is effective in defending against these attacks and achieves state-of-the-art performance.

KW - Backdoor attacks

KW - Ensemble learning

KW - Security of deep learning

UR - https://www.scopus.com/pages/publications/85210146230

U2 - 10.1007/978-981-96-0116-5_18

DO - 10.1007/978-981-96-0116-5_18

M3 - 会议稿件

AN - SCOPUS:85210146230

SN - 9789819601158

T3 - Lecture Notes in Computer Science

SP - 221

EP - 235

BT - PRICAI 2024

A2 - Hadfi, Rafik

A2 - Ito, Takayuki

A2 - Anthony, Patricia

A2 - Sharma, Alok

A2 - Bai, Quan

PB - Springer Science and Business Media Deutschland GmbH

Y2 - 18 November 2024 through 24 November 2024

ER -

Xing Z, Lan Y, Yu Y, Cao Y, Yang X, Yu Y 等. BDEL: A Backdoor Attack Defense Method Based on Ensemble Learning. 在 Hadfi R, Ito T, Anthony P, Sharma A, Bai Q, 编辑, PRICAI 2024: Trends in Artificial Intelligence - 21st Pacific Rim International Conference on Artificial Intelligence, PRICAI 2024, Proceedings. Springer Science and Business Media Deutschland GmbH. 2025. 页码 221-235. (Lecture Notes in Computer Science). doi: 10.1007/978-981-96-0116-5_18

BDEL: A Backdoor Attack Defense Method Based on Ensemble Learning

摘要

出版系列

会议

访问文件

其它文件与链接

指纹

引用此