- Ma et al. observed that although the infected model identifies both clean samples of the target class and poisonous samples as the target class, these two sets of samples are disjoint in the pixel space. Therefore, the intermediate representations of the poisonous samples differ from those of the clean samples. Based on this observation, Ma et al. proposed Beatrix, a defense method that leverages Gram Matrices to model the intermediate representations of samples, enabling the discrimination between benign and poisonous samples. Additionally, it further employs kernel-based testing to identify the infected label (i.e., the target class). Figure 14 presents the defense performance of Beatrix on FlowMur and baselines.