![[2504.21730] Cert-SSBD: Certified Backdoor Defense with Sample-Specific Smoothing Noises](https://arxiv.org/static/browse/0.3.4/images/arxiv-logo-fb.png){kind=logo}
[2504.21730] Cert-SSBD: Certified Backdoor Defense with Sample-Specific Smoothing Noises
Summary
The paper presents Cert-SSBD, a novel method for defending against backdoor attacks in deep neural networks by optimizing noise levels specific to each sample, enhancing certification performance.
Why It Matters
Backdoor attacks pose significant risks to deep learning applications, and existing defenses often fall short. Cert-SSBD addresses these vulnerabilities by introducing a sample-specific approach, potentially improving the robustness of AI systems in real-world scenarios.
Key Takeaways
- Cert-SSBD optimizes noise levels for each sample to enhance defense against backdoor attacks.
- The method addresses limitations of existing randomized smoothing defenses that assume equidistance from decision boundaries.
- Extensive experiments validate the effectiveness of Cert-SSBD across multiple benchmark datasets.
- The approach introduces a dynamic certification method that adjusts based on sample-specific noise levels.
- Availability of the code allows for further research and application in the field.
Computer Science > Cryptography and Security arXiv:2504.21730 (cs) [Submitted on 30 Apr 2025 (v1), last revised 19 Feb 2026 (this version, v2)] Title:Cert-SSBD: Certified Backdoor Defense with Sample-Specific Smoothing Noises Authors:Ting Qiao, Yingjia Wang, Xing Liu, Sixing Wu, Jianbin Li, Yiming Li View a PDF of the paper titled Cert-SSBD: Certified Backdoor Defense with Sample-Specific Smoothing Noises, by Ting Qiao and 5 other authors View PDF HTML (experimental) Abstract:Deep neural networks (DNNs) are vulnerable to backdoor attacks, where an attacker manipulates a small portion of the training data to implant hidden backdoors into the model. The compromised model behaves normally on clean samples but misclassifies backdoored samples into the attacker-specified target class, posing a significant threat to real-world DNN applications. Currently, several empirical defense methods have been proposed to mitigate backdoor attacks, but they are often bypassed by more advanced backdoor techniques. In contrast, certified defenses based on randomized smoothing have shown promise by adding random noise to training and testing samples to counteract backdoor attacks. In this paper, we reveal that existing randomized smoothing defenses implicitly assume that all samples are equidistant from the decision boundary. However, it may not hold in practice, leading to suboptimal certification performance. To address this issue, we propose a sample-specific certified backdoor defense meth...