We have provided a configuration file trap.yaml exported by Conda, which allows you to install the same version of the library
The datasets of CIFAR-10 and CIFAR-100 are automatically downloaded to the dataset folder when connected to the network. The dataset of imagenet subset is too large to upload into repo. You can download the data of the imagenet subset through this link.
If you want to try differnet attack methods, poisoning rates and dataset, please adjust parameters in config.yaml. Please refer to attack/attack.py and data/poison_dataset to determine the settings for different attacks.
Directly running isolation.py can obtain the corresponding results, and the results are saved to the specified path in config.py.
isolation.py will output three checkpoint:
- a model have been trained 10 epochs
- corrsponding poisoned dataset
- indexs of poisoned samples in a dataset.
- visualization results of dimensionality reduction and clustering
Same as poisoned sample isolation, simply run hiding.py to obtain the result. hiding.py will automatically retrieve the output from the previous step.
you need to run hiding_imagenet.py instead of hiding.py.
-
BadNets-all2one: A 3x3 grid composed of black and white is inserted in the lower right corner of the image.
-
BadNets-all2all: A 3x3 white square is inserted in the lower right corner of the image.
-
Trojan: A patch is inserted in the lower right corner of the image.
-
Blend-Strip: The blending ratio is 0.2, and the mask is a random pattern where each pixel value is uniformly randomly sampled from [0, 255].
-
Blend-Kitty: The blending ratio is 0.2, and the mask is a cartoon image of Hello Kitty.
-
SIG: We used code consistent with the original paper and followed the recommended configurations by EBD. We set delta to 40 during training and 60 during inference, while keeping f at 6.
-
CL: The generation of noise follows the following configuration: eps is 8/255, alpha is 2/255, and steps are 10. We referred to the settings in the original paper and added four-corner triggers to enhance resistance to data augmentation.
-
Instagram Filter: This attack does not require any parameter configuration. We referred to https://github.com/Gwinhen/BackdoorVault and used the Python library "pilgram" for trigger implementation.
-
WaNet: We used the same code as the authors and followed the parameter configurations recommended by the authors for the attack. The noise rate is 0.2, control grid size k = 4, warping strength s = 0.5, grid rescale is 1. In ImageNet, we change the control grid size k to 224 and warping strength s = 1.
-
IAB: Following the recommendations in ABL and ASD, we first reimplemented the IAB attack and obtained the trigger generator. Then we use the trigger generator to generate the poisoned samples in advance and conduct a poisoning-based backdoor attack. λ_div=1, and the noise rate is 0.1.
-
SSBA: We used the checkpoint and code provided by the original authors for poisoning, and its configuration matches that of the official code repository and the original paper.
-
Adap-Blend: We referred to the open-source code of the original paper and used the recommended parameters from the authors, namely a conservatism ratio of 0.5, a blend ratio of 0.15 during training, and a blend ratio of 0.2 during inference. We randomly applied only 50% of the partitioned trigger pieces during training and retained all of them during inference as the original paper.
We have provided corresponding checkpoints for these two attacks, and you need to place them in the specified location in attack/attack.py.
Please download the checkpoint from this link.