Backdoor attacks typically aim to implant malicious behavior into deep learning models by injecting a small number of poisoned samples into the training dataset. Specifically, once the model is trained on these poisoned samples, it will misclassify the samples into the target class when the trigger is activated. However, when the trigger is not present, the backdoor model behaves the same as a normal model and does not show anomalous behavior. According to the attack method, existing backdoor attacks can be classified into two categories: (1) poison-label attacks [8–12], which connect the trigger and the target class by changing the labels of the toxic samples to the target labels to enhance the attack effect [9,13] or to hide the traces of the attack [14–16]. (2) Clean-label attacks [17–19], which keep the original labels of the samples unchanged and only poison samples within the target class by injecting triggers. Although clean label attacks are more stealthy, they may sometimes fail to successfully implant a backdoor [19,20].

Existing backdoor defense methods can be broadly divided into three categories: (1) Model reconstruction defenses. These methods directly modify a suspicious model to suppress or remove backdoor behaviors, usually by first synthesizing triggers and then mitigating their influence [6,7,21,22]. This type of method largely relies on the quality of synthesized triggers, so the defense effect may not be satisfactory when facing more complex triggers [23,24]. For instance, Neural Cleaner (NC) [6] generates a trigger for each category and employs Median Absolute Deviation (MAD) for outlier detection, followed by a forgetting strategy to eliminate the backdoor. Zhu et al. [7] use the strong reconstruction capability of GANs to detect and “clean” neural backdoors without requiring access to the training data, showing robustness and efficiency across various settings. A new Trojan network detection mechanism [21] locates a “winning Trojan lottery ticket” that retains almost complete Trojan information but only chance-level performance on clean input, and then restores the triggers embedded in this already isolated subnetwork. The Shapley Pruning [22] can identify and remove less than 1% of infected neurons while maintaining model structure and accuracy, even with extremely limited data (one or zero samples per class). (2) Pruning-based defenses. These approaches aim to detect and prune malicious neurons and typically require access to clean labeled data, which is often impractical in real-world scenarios. For example, Fine-Pruning [25] combines neuron pruning with fine-tuning to suppress or eliminate backdoor behavior. (3) Input detection defenses. This category focuses on identifying poisoned samples at inference time without modifying the model. Activation-based defenses such as STRIP [26] detect backdoors by measuring prediction entropy under input perturbations, while SentiNet [27] localizes suspicious regions using model interpretability. MNTD [28] trains a meta-classifier to distinguish clean and Trojaned models from their behavior. Defenses can be categorized by the defender’s knowledge into sample-, model-, and training data-level approaches [29]. For example, CCA-UD [29] operates at the training data level by clustering samples to identify clean and poisoned ones, which is computationally expensive. In contrast, our method achieves high-level defense directly at the sample level.

Attack Setting: In backdoor attacks on classification tasks, we train a DNN model Cθ:𝒳→𝒴, where 𝒳⊆Rd denotes the input space and 𝒴={1,2,…,K} denotes the set of class labels. The training dataset is denoted by Dtrain={(xn,yn)}n=1N, where xn∈𝒳 is the n-th input sample and yn∈𝒴 is its corresponding class label. For a clean input xn, the model output satisfies Cθ(xn)=yn, indicating that the prediction is correct on normal samples. For an input sample x′=x+t(x) with a backdoor trigger t(x), the model satisfies Cθ(x′)=yt, where yt is the target label specified by the attacker. To implement the backdoor attack, αN (where 0<α<1) samples are selected from the training dataset as poisoned samples, and the following modifications are applied: (1) Label modification: change the labels of the poisoned samples to the target label yt. (2) Trigger injection: add a trigger t(x) to each poisoned sample so that x′=x+t(x) becomes a triggered sample. After processing the samples, we train the model Cθ on the modified training set so that it behaves normally on clean samples while being activated by the embedded triggers for backdoor attacks.

Defense Setting: This study considers a realistic black-box defense scenario, where the defender obtains a pre-trained model from an untrusted source without access to its training process, and is only given clean samples and test samples for inspection. (1) Defense Objective: Detect poisoned samples with backdoor triggers while maintaining accuracy on clean samples comparable to standard defenses. (2) Defense Capability: Our method detects backdoored samples without modifying the dataset or model, preventing trigger-target associations. It generalizes to multiple types of backdoors and various image classification datasets without requiring knowledge of model architecture or parameters.

Our backdoor defense adopts the inverse reasoning concept of “input-output” to achieve accurate sample detection. Firstly, a convolutional neural network (CNN) extracts feature vectors for all images in the dataset. By calculating the difference between feature vectors, we select the two clean images with the largest difference in features between them. Secondly, the test image is fused with each of the two most dissimilar images at a certain ratio. Finally, the two mixed samples are input into the model to obtain two outputs, and the consistency of these outputs is used to determine whether the input samples are poisoned, thereby achieving backdoor detection. The specific detection flowchart is shown in Fig. 2.

It is worth noting that in order to carry out effective backdoor attacks, attackers must carefully design the spatial location and pattern of triggers. Attackers typically maximize the mask of the trigger with the activation value of one or more neurons to create trigger-sensitive internal neurons. This design reinforces the activation of vulnerable neurons and establishes a strong association between the trigger and these neurons. As a result, once the model detects the trigger, these neurons are strongly activated, leading to a corresponding misclassification.

From a defense perspective, this characteristic can be exploited to identify poisoned inputs. The conceptual basis of AFI is as follows: poisoned samples contain a backdoor trigger that is specifically designed to maximize the activation of a small set of neurons highly sensitive to the trigger, establishing a strong association between the trigger and these neurons. Once the model detects the trigger, these neurons are significantly activated and dominate the output. Even when a poisoned sample is blended with other images, this dominant activation persists, resulting in consistently predicted labels. In contrast, clean samples lack such dominant features, so blending introduces variability in their representations, leading to unstable predictions. This difference in prediction stability under blending provides the conceptual foundation for AFI’s ability to distinguish poisoned samples from clean ones. When the input contains a trigger, it causes significant increases in neuron activations, which heavily influence the model output. Therefore, when the poisoned sample is fused with the clean sample, the model output will still be affected by the triggers and each output matches the attacker-specified label specified by the attacker. When the sample to be detected is a clean sample, the model output will be affected by the fusion of the two samples with which it is fused due to the large differences in their characteristics, showing significant differences. As illustrated in Fig. 2.

The fusion ratio α is a key parameter that balances the influence between the test sample x and the clean reference sample ci. Extensive experiments show that an effective range for α consistently lies between 0.3 and 0.6. The underlying principle is that α should be large enough to preserve potential trigger signals in the test sample, yet small enough to allow the clean reference to provide a strong and correct semantic context for consistency checking.

Based on an in-depth analysis of the spatial characteristics of triggers from different backdoor attacks, we summarize the following empirical selection strategy:

For Local Trigger Attacks: Such as BadNets and IAB, where the trigger is confined to a small region of the image. We recommend using a lower α value (approximately 0.3–0.5). A smaller fusion ratio helps retain the local trigger pattern in the blended image without overwhelming it with clean-sample semantics.

The above strategy provides a robust guideline for scenarios where the attack type is known or can be inferred. For completely unknown cases, we suggest a simple grid search procedure over α∈[0.3,0.6] with a step size of 0.01, using a small validation subset to select the optimal value. This protocol has been verified effective in our experiments, ensuring the AFI method’s robustness and reproducibility across diverse datasets and attack types.

Firstly, we propose a sample-level universal backdoor detection method, which thoroughly embodies the dialectical unity of attack and defense. This approach employs a straightforward mechanism to achieve accurate and efficient defense. Secondly, for the backdoor defender, the method only requires a clean sample dataset. By extracting features and computing the feature distances, it selects the two samples with the most significant feature discrepancy. Compared with conventional backdoor defense techniques, our method greatly reduces the amount of data computation and storage. For users, this method does not need any operation on the dataset, just upload and input the image samples to be detected, which is convenient to use. Thirdly, our method focuses on the new defense concept of trigger detection. It only needs to detect the poisoned samples containing triggers and prevent the toxic samples from entering the model, which not only avoids backdoor attacks but also retains the availability of the model on clean samples. The AFI algorithm is shown in Algorithm 1.

The experiment involves three datasets, including MNIST [31], CIFAR-10 [32] and ImageNet subsets [33]. These datasets cover a variety of recognition tasks, including the classification of common objects, fine-grained classification, and action recognition.

All datasets are initially composed of clean samples. We implement four prominent backdoor attacks on these datasets: BadNets, Blend [14], WaNet [16], and IAB [13]. The ResNet-18 architecture [34] serves as the target model for both backdoor attack implantation and defense evaluation.

Attack baseline: we have carried out four common backdoor attacks, including BadNets [9], Blend, WaNet, IAB. In BadNets, WaNet, and IAB, we choose 1 (yt=1) as the target label, and in Blend, we choose 0 (yt=0) as the target label. The poisoning rate for all attacks is set to 10%, meaning 10% of the training samples are poisoned. For poison-label attacks (BadNets, WaNet, IAB), this involves modifying both the sample and its label. For the clean-label attack (Blend), only the sample is modified while its original label is preserved.

Defense baseline: We compare our method with six existing backdoor defense methods, including fine pruning (FP) [25], neural attention distillation (NAD) [35], anti-backdoor learning (ABL) [36], STRIP [26], SentiNet [27], and MNTD [28]. Since FP, NAD, and ABL are sensitive to their hyperparameters, we optimize their best results by grid search.

In order to evaluate the performance of AFI, we use three indicators: the accuracy of clean images (ACC), the success rate of detecting backdoor images (DSR), and the detection stability (DSP).

ACC reflects the classification ability of the model on a clean image. A higher value indicates that the model is not disturbed by backdoor attacks. (8)ACCclean=1Nclean∑i=1Nclean∏(C(xi)=yi)where Nclean is the total number of clean images, f(xi) is the prediction label of the model for sample xi, yi is the real label of sample xi, and ∏(⋅) is the indicating function. When the prediction is correct, it returns 1; otherwise, it returns 0.

DSR reflects the ability of AFI to successfully detect whether the sample is poisoned. Ideally, we hope that the defense success rate is as close as possible to 1, which means that the defense can effectively distinguish between clean samples and poisoned samples. (9)DSR=12[1Nclean∑i=1Nclean∏(Ci(Cmix1)≠Ci(Cmix2))+1Npoisoned∑j=1Npoisoned∏(Cj(Cmix1)=Cj(Cmix2))]where Nclean is the total number of clean images without embedded backdoor triggers, Npoisoned is the total number of images with backdoor triggers, The predictions C(Cmix1(i)) and C(Cmix2(i)) are obtained by fusing the i-th clean image with the two reference samples. C(Cmix1(j)) and C(Cmix2(j)) represent the prediction labels from blending the j-th poisoned image with the two reference samples. ∏(⋅) is the indicator function. In the clean sample detection calculation, if the prediction labels of two fused images are different, it returns 1; otherwise, it returns 0. In the calculation of poisoned sample detection, if the prediction labels of two fused images are the same, it returns 1; otherwise, it returns 0. The detection success rate DSR of the AFI is the average of DSRclean and DSRpoisoned.

We propose DSP (Detection Stability Performance) as a new evaluation metric to assess the universality and robustness of detection methods under practical conditions. DSP measures performance consistency across different datasets and attack methodologies. This metric addresses the real-world challenge where users cannot predetermine the attack presence or specific attack types, thus requiring defenses that remain effective in cross-domain scenarios.

DSP combines performance metrics across datasets and attacks, including average clean accuracy (DSPACC) and average detection rate on poisoned samples (DSPDSR), formulated as: (10)DSP=12[1n×m∑i=1n∑j=1mACCi,j+1n×m∑i=1n∑j=1mDSRi,j]

The square root operation normalizes magnitude differences across heterogeneous datasets and attack types, preventing any single condition from dominating the overall DSP. The equal weighting balances the contributions of classification accuracy and detection success rate, which may differ in scale or importance depending on the scenario. These design choices enhance the stability and interpretability of DSP while maintaining sufficient sensitivity to distinguish between methods.

The formula highlights how the square root reduces the influence of extreme values, and the weighting balances the two components, yielding a robust and interpretable evaluation metric across diverse datasets and attack types.

A larger DSP indicates that the detection method is more consistent and stable across scenarios, making it a valuable measure of universality and deployment potential in complex, open environments.

To verify the superiority of AFI, we conduct four types of backdoor attacks across three datasets using ResNet. While maintaining a high accuracy and attack rate, the results of using AFI in turn are shown in Table 1.

Evaluation results in Table 1 confirm AFI’s universal defense capability. The method elevates DSR from near-zero to >92% across all tested configurations while preserving ACC within 2% of its original value. Consistent DSP performance (86.49–95.20) demonstrates robustness against diverse attack patterns (BadNets, Blend, WaNet, IAB) and dataset complexities, establishing AFI as an effective sample-level backdoor detection solution.

This section discusses the theoretical robustness of the AFI method when facing a strong, adaptive attacker with full knowledge of the defense mechanism, addressing the reviewer’s valuable comment. We consider a white-box attack scenario: the attacker is fully aware of AFI’s detection pipeline (including the feature extractor, blending ratio α, and decision rule) and aims to design a trigger t that can evade detection.

The attacker’s objective is formalized as a dual-goal optimization problem: the trigger must ensure that not only is the poisoned sample x′=x+t classified as the target label yt, but also that the blended output C(ci×(1−α)+x′×α) remains yt when fused with any clean reference sample ci from the holdout set 𝒞, thereby breaking the prediction consistency check upon which AFI relies.

Theoretically, we argue that successfully crafting such a trigger is inherently difficult for the adversary. AFI’s fusion mechanism forces the attacker to solve a conflicting optimization objective: the trigger must be effective on the original poisoned sample x′ while simultaneously maintaining its dominance over the model’s prediction even when x′ is significantly “diluted” by the semantic content of a clean sample. This effectively necessitates the trigger to possess a global and overwhelmingly strong semantic influence in the feature space.

However, achieving this likely comes at a high cost for the attacker, leading to a critical trade-off:

Loss of Stealth: An overly potent and global trigger required to withstand arbitrary fusion becomes more susceptible to detection via visual inspection or statistical anomaly detection, compromising the fundamental requirement of a stealthy backdoor.

In conclusion, the AFI mechanism does not attempt to create an impenetrable defense but rather fundamentally raises the bar for a successful attack. It forces the attacker into a difficult tri-lemma, having to balance attack effectiveness, trigger stealth, and model utility. While the implementation and evaluation of more complex adaptive attacks constitute an important direction for our future work, the above analysis demonstrates that AFI provides a foundation for practical backdoor defense with inherent robustness by making adaptive attacks more costly and difficult to conceal.