We propose Februus; a new idea to neutralize highly potent and insidious
Trojan attacks on Deep Neural Network (DNN) systems at run-time. In Trojan
attacks, an adversary activates a backdoor crafted in a deep neural network
model using a secret trigger, a Trojan, applied to any input to alter the
model's decision to a target prediction---a target determined by and only known
to the attacker. Februus sanitizes the incoming input by surgically removing
the potential trigger artifacts and restoring the input for the classification
task. Februus enables effective Trojan mitigation by sanitizing inputs with no
loss of performance for sanitized inputs, Trojaned or benign. Our extensive
evaluations on multiple infected models based on four popular datasets across
three contrasting vision applications and trigger types demonstrate the high
efficacy of Februus. We dramatically reduced attack success rates from 100% to
near 0% for all cases (achieving 0% on multiple cases) and evaluated the
generalizability of Februus to defend against complex adaptive attacks;
notably, we realized the first defense against the advanced partial Trojan
attack. To the best of our knowledge, Februus is the first backdoor defense
method for operation at run-time capable of sanitizing Trojaned inputs without
requiring anomaly detection methods, model retraining or costly labeled data.Comment: 16 pages, to appear in the 36th Annual Computer Security Applications
Conference (ACSAC 2020