Backdoor Inversion in Neural-Activation Space

Guangmingmei Yang; Xi Li; Hang Wang; George Kesidis; David J. Miller

doi:10.1109/MLSP62443.2025.11204213

Backdoor Inversion in Neural-Activation Space

Guangmingmei Yang
, Xi Li
, Hang Wang
, George Kesidis
, David J. Miller

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

Abstract

There are a variety of defenses against backdoor attacks planted in deep neural network (DNN) classifiers via poisoning of the training set. Backdoor-agnostic methods seek to detect and/or mitigate backdoors irrespective of the incorporation mechanism used by the attacker, while inversion methods explicitly assume one. We describe a new detector that: relies on embedded feature representations (neural-activation space) to estimate (invert) the backdoor and to identify its target class; can operate without access to the training set; and is highly effective for various incorporation mechanisms. Our approach is evaluated - and found favorable - in comparison with an array of published defenses for a variety of attacks.

Original language	English (US)
Title of host publication	35th IEEE International Workshop on Machine Learning for Signal Processing
Subtitle of host publication	Signal Processing in the Age of Lorge Language Models, MLSP 2025
Publisher	IEEE Computer Society
ISBN (Electronic)	9798331570293
DOIs	https://doi.org/10.1109/MLSP62443.2025.11204213
State	Published - 2025
Event	35th IEEE International Workshop on Machine Learning for Signal Processing, MLSP 2025 - Istanbul, Turkey Duration: Aug 31 2025 → Sep 3 2025

Publication series

Name	IEEE International Workshop on Machine Learning for Signal Processing, MLSP
ISSN (Print)	2161-0363
ISSN (Electronic)	2161-0371

Conference

Conference	35th IEEE International Workshop on Machine Learning for Signal Processing, MLSP 2025
Country/Territory	Turkey
City	Istanbul
Period	8/31/25 → 9/3/25

All Science Journal Classification (ASJC) codes

Signal Processing
Human-Computer Interaction

Access to Document

10.1109/MLSP62443.2025.11204213

Cite this

Yang, G., Li, X., Wang, H., Kesidis, G., & Miller, D. J. (2025). Backdoor Inversion in Neural-Activation Space. In 35th IEEE International Workshop on Machine Learning for Signal Processing: Signal Processing in the Age of Lorge Language Models, MLSP 2025 (IEEE International Workshop on Machine Learning for Signal Processing, MLSP). IEEE Computer Society. https://doi.org/10.1109/MLSP62443.2025.11204213

@inproceedings{d7234b1f2a1645ce9e5e7d3f13168339,

title = "Backdoor Inversion in Neural-Activation Space",

abstract = "There are a variety of defenses against backdoor attacks planted in deep neural network (DNN) classifiers via poisoning of the training set. Backdoor-agnostic methods seek to detect and/or mitigate backdoors irrespective of the incorporation mechanism used by the attacker, while inversion methods explicitly assume one. We describe a new detector that: relies on embedded feature representations (neural-activation space) to estimate (invert) the backdoor and to identify its target class; can operate without access to the training set; and is highly effective for various incorporation mechanisms. Our approach is evaluated - and found favorable - in comparison with an array of published defenses for a variety of attacks.",

author = "Guangmingmei Yang and Xi Li and Hang Wang and George Kesidis and Miller, \{David J.\}",

note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 35th IEEE International Workshop on Machine Learning for Signal Processing, MLSP 2025 ; Conference date: 31-08-2025 Through 03-09-2025",

year = "2025",

doi = "10.1109/MLSP62443.2025.11204213",

language = "English (US)",

series = "IEEE International Workshop on Machine Learning for Signal Processing, MLSP",

publisher = "IEEE Computer Society",

booktitle = "35th IEEE International Workshop on Machine Learning for Signal Processing",

address = "United States",

}

Yang, G, Li, X, Wang, H, Kesidis, G & Miller, DJ 2025, Backdoor Inversion in Neural-Activation Space. in 35th IEEE International Workshop on Machine Learning for Signal Processing: Signal Processing in the Age of Lorge Language Models, MLSP 2025. IEEE International Workshop on Machine Learning for Signal Processing, MLSP, IEEE Computer Society, 35th IEEE International Workshop on Machine Learning for Signal Processing, MLSP 2025, Istanbul, Turkey, 8/31/25. https://doi.org/10.1109/MLSP62443.2025.11204213

Backdoor Inversion in Neural-Activation Space. / Yang, Guangmingmei; Li, Xi; Wang, Hang et al.
35th IEEE International Workshop on Machine Learning for Signal Processing: Signal Processing in the Age of Lorge Language Models, MLSP 2025. IEEE Computer Society, 2025. (IEEE International Workshop on Machine Learning for Signal Processing, MLSP).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Backdoor Inversion in Neural-Activation Space

AU - Yang, Guangmingmei

AU - Li, Xi

AU - Wang, Hang

AU - Kesidis, George

AU - Miller, David J.

PY - 2025

Y1 - 2025

N2 - There are a variety of defenses against backdoor attacks planted in deep neural network (DNN) classifiers via poisoning of the training set. Backdoor-agnostic methods seek to detect and/or mitigate backdoors irrespective of the incorporation mechanism used by the attacker, while inversion methods explicitly assume one. We describe a new detector that: relies on embedded feature representations (neural-activation space) to estimate (invert) the backdoor and to identify its target class; can operate without access to the training set; and is highly effective for various incorporation mechanisms. Our approach is evaluated - and found favorable - in comparison with an array of published defenses for a variety of attacks.

AB - There are a variety of defenses against backdoor attacks planted in deep neural network (DNN) classifiers via poisoning of the training set. Backdoor-agnostic methods seek to detect and/or mitigate backdoors irrespective of the incorporation mechanism used by the attacker, while inversion methods explicitly assume one. We describe a new detector that: relies on embedded feature representations (neural-activation space) to estimate (invert) the backdoor and to identify its target class; can operate without access to the training set; and is highly effective for various incorporation mechanisms. Our approach is evaluated - and found favorable - in comparison with an array of published defenses for a variety of attacks.

UR - https://www.scopus.com/pages/publications/105022130943

UR - https://www.scopus.com/pages/publications/105022130943#tab=citedBy

U2 - 10.1109/MLSP62443.2025.11204213

DO - 10.1109/MLSP62443.2025.11204213

M3 - Conference contribution

AN - SCOPUS:105022130943

T3 - IEEE International Workshop on Machine Learning for Signal Processing, MLSP

BT - 35th IEEE International Workshop on Machine Learning for Signal Processing

PB - IEEE Computer Society

T2 - 35th IEEE International Workshop on Machine Learning for Signal Processing, MLSP 2025

Y2 - 31 August 2025 through 3 September 2025

ER -

Yang G, Li X, Wang H, Kesidis G , Miller DJ. Backdoor Inversion in Neural-Activation Space. In 35th IEEE International Workshop on Machine Learning for Signal Processing: Signal Processing in the Age of Lorge Language Models, MLSP 2025. IEEE Computer Society. 2025. (IEEE International Workshop on Machine Learning for Signal Processing, MLSP). doi: 10.1109/MLSP62443.2025.11204213

Backdoor Inversion in Neural-Activation Space

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this