In a backdoor attack, an adversary adds maliciously constructed (“backdoor”) examples into a training set to make the resulting modelvulnerable to manipulation. Defending against such attacks—e.g., by finding and removing the backdoor examples—typically involves viewing these examples as outliers and using techniques from robust statistics to detect and remove them.In this work, we present a new perspective on this task, that is, without structural information on the training data distribution,b…