What problem does this paper attempt to address?

The problem that this paper attempts to solve is to detect backdoor attacks in machine - learning models. Specifically, the authors propose a new detection method - **Universal Soldier for Backdoor detection (USB)**, which utilizes the similarity between universal adversarial perturbations (UAP) and backdoor triggers to detect backdoor attacks. ### Background and Motivation 1. **Limitations of Existing Methods**: - **Reverse - engineering methods** (such as Neural Cleanse (NC) and TABOR) may not be able to effectively detect backdoors in some cases, especially when the backdoor trigger is very similar to the class features. - **Non - patch - based attacks** (such as Input - aware dynamic backdoor attacks) pose challenges to existing methods because these methods usually start optimization from random points and it is difficult to generate specifically designed triggers. 2. **Similarity between UAP and Backdoor Triggers**: - The authors observe that the UAP generated from the backdoor - injected model requires less perturbation to mislead the model, indicating that UAP can capture the characteristics of backdoor neurons. - Using this property, the USB method can directly use UAP to detect potential backdoors and is more efficient than existing methods. ### Method Overview 1. **Threat Model**: - The paper considers defense in the machine - learning - as - a - service (MLaaS) scenario, where the attacker controls or accesses the MLaaS platform with the aim of injecting backdoors into the model. 2. **Target UAP Generation**: - The authors modify the existing UAP generation algorithm so that it can generate UAP for specific target classes. The specific algorithm is shown in Algorithm 1. By iteratively updating the perturbation vector \(v\), the input data \(x_i + v\) is misclassified as the target class \(t\). 3. **UAP Optimization**: - To further analyze potential triggers, the authors introduce an optimization phase to update the target UAP by minimizing the loss function. The loss function includes cross - entropy loss, structural similarity index (SSIM) and L1 - norm, as shown specifically in formula (1): \[ L = L_{ce}(\text{output}, t)-\text{SSIM}(x, x')+\text{norm}_{L1}(\text{mask}) \] ### Experimental Results 1. **Datasets and Models**: - The authors conduct experiments on multiple datasets (CIFAR - 10, ImageNet, GTSRB, MNIST) and model architectures (ResNet - 18, VGG - 16, EfficientNet - B0). 2. **Performance Evaluation**: - **Model Detection**: USB performs excellently in detecting backdoor - injected models, especially when dealing with strong backdoor attacks (such as Latent Backdoor and Input - aware dynamic backdoor attacks). - **Target Class Detection**: USB can accurately identify the target class of the backdoor, while other methods (such as NC and TABOR) may fail in some cases. 3. **Time Consumption**: - Compared with NC and TABOR, USB significantly reduces the time required for optimizing reverse - engineering potential triggers because UAP can be generalized across different networks and only needs to be generated once for similar models. ### Conclusion This paper proposes a new backdoor detection method USB. By exploiting the similarity between UAP and backdoor triggers, it effectively detects multiple types of backdoor attacks. The experimental results show that USB performs excellently on multiple datasets and model architectures, especially when dealing with strong backdoor attacks. Future work will further optimize the UAP generation process to reduce the optimization time.