BDEL: A Backdoor Attack Defense Method Based on Ensemble Learning

Deep neural networks (DNNs) are susceptible to backdoor attacks. Previous researches have demonstrated the challenges in both removing poisoned samples from compromised datasets and repairing contaminated models. These difficulties arise as attackers employ adaptive strategies, enhancing the stealthiness of their attacks and thereby evading detection by defenders. To address these challenges, we propose BDEL, a defense method based on ensemble learning, aimed at enhancing the model intrinsic robustness against backdoor attacks. BDEL focuses on strengthening the model directly, thus avoiding the need for assumptions about the attackers. In addition, BDEL does not require the retention of a clean dataset and is compatible with any existing DNN. Specifically, we construct random subsets from the original dataset and train individual base classifiers on these subsets, each equipped with a different network architecture. During the training process of these base classifiers, a self-ensembling strategy is employed to enhance the intrinsic robustness of the model. To the best of our knowledge, we are the first to propose a method to enhance model robustness against backdoor attacks through self-ensembling. We evaluated BDEL against various types of backdoor attacks. The results demonstrate that BDEL is effective in defending against these attacks and achieves state-of-the-art performance.