The Power of Backdoor Absorption in Community Training

📅 2026-07-07
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the threat of stealthy backdoor injection by external compute nodes in decentralized training, where conventional detection methods incur prohibitive costs due to full recomputation. The authors propose an efficient, provably secure defense mechanism that, for the first time, models the backdoor injection and absorption process as a discrete-time Markov chain. By integrating randomized scheduling with a lazy verification oracle and leveraging the robustness of continuous optimization dynamics under Byzantine perturbations, the approach enables honest updates to naturally dilute malicious influences. Theoretically, under a bounded adversary assumption, the backdoor success rate asymptotically vanishes as training progresses. Empirically, activating verification on only 10% of training steps suffices to effectively suppress attacks without compromising model utility.
📝 Abstract
Backdoor attacks severely threaten large-scale AI models. When model owners delegate training to external compute providers within a decentralized training paradigm, adversaries can craft stealthy, low-frequency triggers to inject malicious behavior while evading standard audits. Traditionally, detecting these attacks requires a full re-computation of the training steps--a prohibitive overhead that directly contradicts the owner's resource constraints. To address this, we investigate the resilience of continuous optimization dynamics under Byzantine perturbations, where adversaries are forced to compete against a continuous influx of honest updates. Under a threat model where an adversary compromises f out of n total trainers, we quantify the minimum auditing overhead required by the model owner to probabilistically bound the attack success rate. We formalize this injection-absorption dynamic as a Discrete-Time Markov Chain (DTMC). Using this framework, we prove that the success probability of any bounded adversary asymptotically collapses to zero under a defense strategy combining natural absorption, a randomized scheduler, and lazy verification oracle. Empirical results demonstrate significant backdoor suppression with zero utility degradation even when invoking the verification oracle on merely 10% of the total training steps. This approach yields a provably sound and computationally efficient defense for safety-critical AI.
Problem

Research questions and friction points this paper is trying to address.

backdoor attacks
decentralized training
auditing overhead
Byzantine perturbations
model security
Innovation

Methods, ideas, or system contributions that make the work stand out.

backdoor absorption
Discrete-Time Markov Chain
Byzantine resilience
lazy verification oracle
decentralized training