Machine learning (ML) models underpin an ever-growing variety of software systems, including cybersecurity solutions designed to thwart active adversaries [1], [2], [3]. The deployment of models in security-sensitive contexts increases the relevance of adversarial ML risks, both during inference, evasion attacks, and during model training, poisoning attacks. The risk of adversarial interference during training is further enhanced by recent trends, such as the growing size of data sets and the increasing reliance on crowd-sourcing of data [4], leading to heightened public awareness [5], [6].
This work addresses backdoor attacks [7] in cybersecurity settings [8], [9], [10], where a model learns to associate an adversary-chosen data pattern (trigger) with a target class. During inference, any input containing the trigger is misclassified accordingly. These attacks are especially concerning in cybersecurity, where models are trained on large, externally sourced datasets, increasing the risk of data manipulation. Their stealthy nature-preserving accuracy on clean inputs-makes detection and mitigation particularly difficult. We examine an insidious clean-label backdoor attack targeting automated traffic analysis systems [10]. This attack injects triggers into a small number of benign training samples without altering labels, is model-agnostic, and is applicable to a variety of data modalities in cybersecurity.
Our defense, outlined in Figure 2, leverages the information asymmetry between attacker and defender to isolate poisoned samples while preserving clean data for training. It uses an iterative scoring process on clustered data in a selected feature subspace, applying multiple remediation strategies to suppress poisoned clusters. Our method reduces backdoor attack success by up to 90% while maintaining high utility, even at poisoning rates as high as 5%. Unlike most existing defenses, it requires no clean reference data or assumptions about model architecture, making it broadly applicable.
In summary, we make the following contributions.
• We introduce a new defense against clean-label backdoor attacks in cybersecurity, removing the need for trusted data or model-specific assumptions.
• We thoroughly evaluate our method against existing attacks on different model architectures, showing strong mitigation with minimal impact on model utility (F1 score) and false positive rate. • We ensure reproducibility by using public datasets and open-source attack implementations and will release the code used in our experiments.foot_0 II. RELATED WORK Backdoor poisoning attacks embed a trigger pattern into a small fraction of training data to hijack model predictions while leaving clean-test accuracy intact. Early work by Gu et al. demonstrated pixel-based triggers in vision tasks [7], and subsequent clean-label methods removed the need for label tampering [11], [12]. In cybersecurity domains, packetlevel and feature-space poisoning, as well as label-flipping, have been explored [13], [14], including clean-label attacks guided by model explanations against malware classifiers [8] and complex network-flow triggers [10].
Defenses span several paradigms. Certified methods offer provable guarantees via outlier removal and ensemble partitioning [15], [16] or randomized smoothing [17], though they often require impractically large ensembles. Detection and Filtering approaches analyze internal model representations -activation clustering and spectral-signature removal in neural embeddings [18], [19], [20] -but are limited to neural networks. Model Purification techniques prune or finetune backdoored networks using small clean sets [21], [22], but are highly sensitive to the available clean data, and may struggle when task and backdoor signals intertwine. Anti-Backdoor Learning identifies and unlearns fast-converging poisoned points early in training, refined through self and semi-supervised stages [23], [24], [25]. Other methods include weight-and activation-based analyses (ABS [26], MNTD [27]), trigger-reverse-engineering (NeuralCleanse [28]), topological embedding analyses (TED [29]), and high-cost ensemble sanitization in cybersecurity via NestedTraining [30], [31]. Our approach involves data sanitization before training the model, to identify and remove poisoned samples in a modelagnostic fashion.
Defending ML models in cybersecurity presents unique challenges and opportunities. Effective defenses must work across diverse models like decision-tree ensembles and neural networks used in security applications such as malicious domain classifiers [2] and malware classification [32]. Moreover, the availability of clean reference data, a common assumption in literature [22], [33], is not granted. While obtaining clean images or text is relatively inexpensive (crowd-sourced annotations and filtering), verifying cybersecurity data requires expensive domain expert analysis.
Cybersecurity data imposes intrinsic constraints that also limit the attacker, enabling defenders to make assumptions unlikely to hold in other domains. Notably, prior attacks [8], [10] emphasize the use of feature importance estimation in crafting effective triggers -an insight defenders can exploit to narrow the detection scope in feature space. Stealthy attackers often use clean-label poisoning, blending malicious samples with benign data without altering labels, as they typically lack control over labeling. This tactic helps poisoned points blend into the diverse benign distribution. While such variability complicates detection, it also justifies the assumption that poisoned samples form a subset of the benign class.
We target binary-classification models in security settings that operate on hand-crafted, tabular features. An adversary seeks to poison training inputs so that malicious samples evade detection (e.g., harmful traffic passes unnoticed), while the defender aims to thwart such attacks without degrading overall performance-especially keeping false-positive rates low to avoid client disruption and analyst overload.
We assume attackers know the feature representation and can either query the victim model or train a surrogate to estimate feature importance; they may inject a small number of poisons but cannot alter labels [8], [10]. Unlike prior work, we do not presume access to a pristine training set -acquiring expert-labeled data is costly in security -yet we allow defenders to cluster the training data and retrain multiple, relatively lightweight models (e.g., decision-tree ensembles), which is feasible given their modest size.
Most existing backdoor defenses are ill-suited for cybersecurity. In particular we observe: a) Different data modalities and model architectures: Most exiting mitigation approaches have been designed for computer vision (CV), where CNNs are the state-of-the-art architecture [18], [19], [20], [29]. Representative approaches for CV backdoor defenses are activation clustering [18], spectral signatures [19], and SPECTRE [20] that perform outlier detection in the CNN representation space via clustering, SVD decomposition, or robust statistics. Prior work [8] tried to adapt these methods and showed that these defenses are not effective when they do not operate in the model's representation space.
b) Coarse-grained binary labels: A typical cybersecurity taskfoot_1 is to distinguish malicious and benign samples, resulting in a binary classification problem. Techniques that look for shortcuts between classes in latent space and aim to identify a target attack label, such as Neural Cleanse [28] and ABS [26], require finer-grained labeling of the training data and thus cannot be readily adapted to our setting. c) Hard constraints on false positives: Models trained for cybersecurity tasks have hard constraints on false positives to be deployed in production [2]. This rules out the application of certified defenses, which largely degrade model utility.
We evaluate here some well-known defensive approaches: Spectral Signatures, SPECTRE, Activation Clustering, and Selective Amnesia using the state-of-the-art backdoor attack by Severi et al. [10] on the CTU-13 Botnet detection task and a fully connected neural network model. The attack can be configured to use either SHAP or Entropy for selecting features for inclusion in the trigger.
1) Limitations of Spectral Signatures and SPECTRE: Spectral Signatures (SpS) [19] and SPECTRE [20] identify anomalies by projecting embedded data into lower-dimensional subspaces. SPECTRE whitens the data using robustly estimated means and covariances before applying PCA. Table I reports the number of poisons identified as more points are removed. Neither method effectively removed contaminants, and SPEC-TRE frequently failed to complete. This suggests that the embeddings produced by CNNs applied to image data are structurally different from those produced by the shallow, fully connected networks used in cybersecurity applications.
2) Limitations of Activation Clustering: Activation clustering [18] detects poisoned points by applying k-means clustering (k = 2) to the activations of the last hidden layer of the victim neural network, followed by analysis to determine which cluster to discard. We evaluated this approach across poisoning rates from 0.1% to 5%, with both SHAP and
TABLE I: Mean number of poisons identified by SpS and SPECTRE for a neural network trained on the CTU-13 data, across five trials. Standard deviation in parentheses. A dash means that the defense failed to complete in at least four trials. (a) 0.5% poisoning (714 poisons) Removed SpS SPECTRE 200 1.6 (1.51) 1.8 (1.30) 400 2.0 (1.87) 2.2 (1.09) 600 2.8 (2.38) -800 4.0 (2.64) -1000 4.8 (3.03) -(b) 5% poisoning (7152 poisons) Removed SpS SPECTRE 200 13.0 (2.12) 16.0 (2.74) 400 21.2 (4.49) 32.0 (4.24) 600 31.4 (3.05) -800 43.0 (4.90) -1000 54.4 (5.90) - 3) Limitations of Selective Amnesia: Selective Amnesia (SEAM) [22] mitigates backdoors by inducing catastrophic forgetting through fine-tuning on randomly assigned incorrect labels, erasing both the primary task and backdoor associations. The model is then retrained on a held-out clean dataset to recover accuracy. Originally developed for multi-class vision tasks, we adapted SEAM for our binary classification setting in the CTU-13 Botnet detection task (entropy feature selection), applying it only to the neural network model due to the lack of fine-tuning mechanisms for tree-based classifiers.
As shown in Figure 1, SEAM's effectiveness depends heavily on the size of the clean dataset. A 1% recovery set fails to mitigate the attack, while 5% reduces the attack success rate from 0.65 to 0.30. Even at 10%, the defense does not fully eliminate the backdoor. Given the high cost of obtaining clean data in cybersecurity, these results highlight the need for defenses that do not rely on clean datasets.
We detail our sanitization procedure (Algorithm 1) below.
To mitigate the curse of dimensionality -high-dimensional data points become increasingly sparse and hard to cluster -we project each sample onto a small set F of the most influential features. Observing that effective backdoor attacks target features with outsized decision impact [8], [10], we train a surrogate decision tree and use its entropy-based importance scores to rank and retain the top |F| features. The choice of |F| balances coverage of potential trigger dimensions against clustering tractability-adversaries typically exploit only the highest-ranked features-so it can be tuned to yield a sensible number of clusters. In our evaluation, we reduced the original ∼1,100 network-traffic features to 4.
Our defense isolates poisoned samples via density-based clustering in the reduced feature space. Unlike neuralnetwork-specific methods that cluster hidden-layer activations [18], we apply OPTICS [34] directly on the top F features of the benign samples. This method discovers high-density cores and expands clusters, automatically inferring the number of clusters and handling variable densities. This concentrates the poisons into a few clusters, enabling a follow-on scoring and filtering stage to pinpoint and remove corrupted data.
We develop an iterative scoring procedure, presented in Algorithm 1, where clean clusters are progressively identified and added to a clean data set. It starts by selecting the largest cluster C 0 out of all clusters C identified by OPTICS on the benign set, and merging it with the malicious points, to generate a temporary clean training set, D clean ← C 0 D y=1 . Next, we train a clean model f on D clean , and evaluate f 's average loss on each remaining cluster C i ∈ C \ C 0 . We rank the clusters C i by loss. Typically, the lower the loss, the closer the cluster is to the training data D clean .
Successively, we take the clusters with lowest average loss for the clean model and add their data points to the clean training set D train . Naturally, considering each cluster individually would provide the defender with fine-grained loss information but it would also require the defender to train a new model for each cluster, which could get prohibitively expensive. We address this issue by considering windows of clusters of fixed size w -we experimentally chose w = 5%, allowing the defender to trade-off computation time for finegrained loss information. Then we re-train the surrogate model f on this new dataset and score the remaining clusters. This process iteratively pushes the clusters that are less similar to the data assumed to be clean to the bottom of the list, therefore isolating the clusters containing poisoned data points.
At this stage the defender could opt for a fixed threshold filtering strategy, by stopping the iterative training and scoring process after a fixed percentage of clusters has been added to D clean . In our experiment, we set this fixed threshold to 80% of the clusters, as we empirically find it to be quite effective.
After clustering isolates suspicious groups, we remediate them via two strategies. The simplest is to remove any cluster not flagged as clean, thereby eliminating all poisons at the cost of potentially discarding rare but valid patterns and degrading utility on uncommon test cases. Alternatively, we "patch" each point in a suspect cluster by overwriting its top |P| most important features (where |P| ≥ |F|) with values sampled from the clean portion of the data. In our experiments we randomly draw replacement values from D clean (the set of clean clusters after reaching 80% coverage) for each patched feature. This preserves the bulk of the training data while neutralizing the backdoor, and may be further enhanced in future work by employing generative tabular models (e.g., diffusion-based samplers) to produce more realistic replacements.
We evaluate our defense on the CTU-13 Neris botnet detection task [35], using Zeek-extracted NetFlow logs aggregated into 30-second windows. Each window is converted into a feature vector of statistics-connection counts by protocol and state, distinct external IPs per internal IP, and min/mean/max packet and byte volumes-mirroring prior work [36], [10].
We test against two feature-selection attacks-an entropy-based surrogate decision tree and a SHAP-guided method [37]-and two trigger schemes: (1) a full trigger that embeds contiguous connections into the most important features, and (2) a stealthy, Bayesian-network-generated trigger that respects traffic dependencies. We report attack success rate (ASR), defined as the percentage of originally malicious test points misclassified as benign, alongside clean-data utility via F1 score and false-positive rate.
Figure 3 shows the dynamics of the tracked metrics across the iterations, assuming a window size of 5% of the clusters. The reported metrics are averages over multiple experiments, with two feature selection strategies (Entropy and SHAP), for the Full trigger attack. Results are shown at 5 different poisoning percentages, and each experiment is repeated 5 times with different random seeds.
1) Fixed threshold filtering: For both gradient boosting model and neural network, interrupting the training when 80% of the clusters has been added to the training set represents a good baseline heuristic that filters out the vast majority of poisoning points. We also note that the attack's poisoning fraction has little influence on the effectiveness of this procedure.
The generated trigger, on the other hand, is stealthier, and a larger fraction of poisoning points manages to slip through the filtering process at these pre-defined thresholds. However, since this strategy is designed for stealthiness rather than effectiveness, its success rate is limited even if a fraction of the contaminants ends up in the training data. As observed in [10], the generated neural network trigger acts as an adversarial example, causing misclassifications without poisoning. This falls outside our defense's scope, which targets backdoor poisoning attacks.
While effective at removing the poisons (ASR ranging from 0.0% to 6.45%), this baseline remediation strategy may reduce the utility of the models as a side-effect of discarding entire
TABLE II: Average model utility metrics on CTU-13. Results reported for different victim architectures, at different poisoning percentages. All results are averages of 10 runs, with two attack strategies and 5 random seeds. Model type Poisoning % F1 at 80.0% FPR at 80.0% Poisons in Dclean at 80.0% Full trigger Neural Network 0.1% 48.19% 1.45% 10.99% 0.5% 45.97% 1.62% 31.71% 1% 52.31% 1.30% 13.89% 2% 49.33% 1.36% 12.03% 5% 64.55% 0.83% 20.51% Gradient Boosting 0.1% 85.93% 0.21% 0.00% 0.5% 94.84% 0.04% 2.72% 1% 95.43% 0.04% 0.62% 2% 87.13% 0.18% 0.01% 5% 96.50% 0.02% 0.03% Generated trigger Gradient Boosting 0.1% 93.26% 0.07% 30.99% 0.5% 88.51% 0.18% 49.64% 1% 93.16% 0.08% 48.59% 2% 89.12% 0.17% 38.49% 5% 90.10% 0.14% 65.36%
TABLE III: Comparison of patching and filtering sanitization approaches at fixed threshold = 80%. Gradient boosting model on CTU-13. Also showing the Base ASR value for the undefended attack. Results are averages of 5 runs on different random seeds, for two attack strategies Entropy and SHAP. Sanitization Poisoning Base ASR ASR Test FPR Test F1 Filtering 0.1% 50.70% 0.00% 0.21% 85.93% 0.5% 85.80% 6.45% 0.04% 94.84% 1% 88.45% 0.15% 0.04% 95.43% 2% 85.75% 0.00% 0.18% 87.13% 5% 79.90% 0.00% 0.02% 96.50% Patching 0.1% 50.70% 0.00% 0.08% 90.61% 0.5% 85.80% 10.95% 0.05% 93.19% 1% 88.45% 9.75% 0.03% 93.37% 2% 85.75% 9.30% 0.05% 92.64% 5% 79.90% 10.95% 0.00% 95.27%
clusters above the threshold (including their clean data). The F1 and FPR utility metrics, reported in Table II, average from 0.02% to 0.21% for FPR, and 86% to 97% for F1.
2) Patching: The patching-based sanitization strategy addresses the degradation in utility metrics. Considering the same threshold at 80%, we can directly compare the effects of patching to filtering for the experiment with the gradient boosting model on CTU-13. Table III shows that using patching generally leads to higher average values of the F1 score on test data (91% -95%), and a lower false positive rate (0% -0.08%). On the other hand, as expected, patching is slightly less effective than complete filtering in reducing the attack success (0% -11% ASR). Therefore, the defender can adopt the patching approach if they want to trade-off some defensive effectiveness for reduced degradation in model utility.
Our defense is tailored to counter factors that amplify cleanlabel poisoning attacks on tabular data. As with any heuristic defense, a knowledgeable adversary may attempt to adapt, for instance by: (i) selecting a different (less important) subset of features; (ii) ensuring a percentage of the poisons ends up in the largest cluster; (iii) using different triggers for different subsets of poison points, so that they end up in many different clusters; (iv) injecting high-loss noise into multiple clusters to keep poisoned clusters below the 80% threshold.
Strategies (ii) and (iii) are challenging in practice. In (iii), distributing different triggers reduces their visibility during training, weakening their association with the target class. For (ii), accurately estimating training data density to position poison points within dense regions-while maintaining attack success rate (ASR)-is difficult. While stealthier attacks aim to blend with benign data, none actively target high-density regions, and the success of such a variant is uncertain. Strategy (iv) is easier to implement but requires extensive modification of the training set, compromising stealth.
Strategy (i) may allow evasion, as our defense assumes the trigger lies in the most relevant features. An attacker could select features that deliberately exclude the top |F|. However, this is non-trivial: identifying a large, manipulable, and disjoint subset from key features is difficult. Even if successful, targeting less relevant features likely reduces ASR. Thus, the attacker must balance stealth and effectiveness carefully.
Defensive methods in adversarial machine learning inherently face limitations, and protecting against arbitrary poisoning remains an open challenge. We propose a mitigation strategy for clean-label backdoor attacks on cybersecurity classifiers that removes common constraints of prior defenses-namely, the need for clean reference data and architectural assumptions. Our method significantly reduces attack success while maintaining high model utility and low false positive rates.
Our mitigation introduces some overhead in training, but training multiple instances on incrementally larger datasets is computationally reasonable for low-cost models like decision trees and small neural networks. Our pre-training defense can be combined with other poisoning mitigations during and post-training in line with a defense-in-depth security strategy. We leave a detailed design of such a strategy for poisoning mitigation to future work.
https://github.com/ClonedOne/cyber clean label backdoor mitigation
Binary classification tasks are common in scenarios where fast identification of threats is paramount.