Statistically Undetectable Backdoors in Deep Neural Networks
This paper proves something deeply unsettling: backdoors can be planted in neural networks that are statistically indistinguishable from clean models even when the adversary hands you all the weights. The backdoor works by creating adversarial examples based on invariance — mapping distant inputs to suspiciously close outputs — and detecting it is provably hard under standard cryptographic assumptions. This establishes a fundamental asymmetry between model trainers and model users that has direct implications for supply chain trust in ML.
Takeaways
- White-box access to model weights is insufficient to detect certain classes of backdoors, undermining common assumptions about model auditing.
- The power asymmetry between model trainers and users is provable, not just empirical — users cannot efficiently detect what trainers can efficiently hide.
- Supply chain trust for ML models requires more than weight inspection; behavioral testing under adversarial conditions is necessary but may also be insufficient.