BackdoorBox: A Python Toolbox for Backdoor Learning

Li, Yiming; Ya, Mengxi; Yang, Bai; Jiang, Yong; Xia, Shu-Tao

doi:10.48550/arxiv.2302.01762

Cited by 2 publications

(4 citation statements)

References 13 publications

Supporting

Mentioning

Contrasting

Order By: Relevance

“…For each attack, we randomly select the target label and inject sufficient poisoned samples to ensure the attack success rate ≥ 98% while preserving the overall model performance. We implement these attacks based on the open-sourced backdoor toolbox (Li et al, 2023). We demonstrate the trigger patterns of adopted attacks for Tiny ImageNet in Figure 5.…”

Section: Main Settingsmentioning

confidence: 99%

“…Specifically, the trigger for BadNets is a 4 × 4 square consisting of random pixel values; the trigger of ISSBA is generated via DNN-based image steganography (Tancik et al, 2020). Both attacks are implemented via BackdoorBox (Li et al, 2023).…”

Section: B the Detailed Configurations Of The Empirical Studymentioning

confidence: 99%

“…We train backdoor-infected models using BackdoorBox (Li et al, 2023). We set the training epoch as 200 and the poisoning rate as 5 − 10% for each attack to ensure a high attack success rate.…”

Section: The Details For Training Attacked Modelsmentioning

confidence: 99%

See 2 more Smart Citations

SCALE-UP: An Efficient Black-box Input-level Backdoor Detection via Analyzing Scaled Prediction Consistency

Guo¹,

Li²,

Chen³

et al. 2023

Preprint

View full text Add to dashboard Cite

Deep neural networks (DNNs) are vulnerable to backdoor attacks, where adversaries embed a hidden backdoor trigger during the training process for malicious prediction manipulation. These attacks pose great threats to the applications of DNNs under the real-world machine learning as a service (MLaaS) setting, where the deployed model is fully black-box while the users can only query and obtain its predictions. Currently, there are many existing defenses to reduce backdoor threats. However, almost all of them cannot be adopted in MLaaS scenarios since they require getting access to or even modifying the suspicious models. In this paper, we propose a simple yet effective black-box input-level backdoor detection, called SCALE-UP, which requires only the predicted labels to alleviate this problem. Specifically, we identify and filter malicious testing samples by analyzing their prediction consistency during the pixel-wise amplification process. Our defense is motivated by an intriguing observation (dubbed scaled prediction consistency) that the predictions of poisoned samples are significantly more consistent compared to those of benign ones when amplifying all pixel values. Besides, we also provide theoretical foundations to explain this phenomenon. Extensive experiments are conducted on benchmark datasets, verifying the effectiveness and efficiency of our defense and its resistance to potential adaptive attacks. Our codes are available at https://github.com/JunfengGo/SCALE-UP.

show abstract

Section: Main Settingsmentioning

confidence: 99%

Section: B the Detailed Configurations Of The Empirical Studymentioning

confidence: 99%

See 1 more Smart Citation

SCALE-UP: An Efficient Black-box Input-level Backdoor Detection via Analyzing Scaled Prediction Consistency

Guo¹,

Li²,

Chen³

et al. 2023

Preprint

View full text Add to dashboard Cite

show abstract

“…door attack (Gudibande et al;Gao et al 2023;Li et al 2023) has also received great attention since they pose potential threats to DNN-based applications. Backdoor attacks plant a backdoor into a victim model by injecting a trigger pattern into a small subset of training sample (Li et al 2022b;Gu et al 2019;Chen et al 2017).…”

Section: Introductionmentioning

confidence: 99%

Does Few-Shot Learning Suffer from Backdoor Attacks?

Liu,

Jia,

et al. 2024

AAAI

View full text Add to dashboard Cite

The field of few-shot learning (FSL) has shown promising results in scenarios where training data is limited, but its vulnerability to backdoor attacks remains largely unexplored. We first explore this topic by first evaluating the performance of the existing backdoor attack methods on few-shot learning scenarios. Unlike in standard supervised learning, existing backdoor attack methods failed to perform an effective attack in FSL due to two main issues. Firstly, the model tends to overfit to either benign features or trigger features, causing a tough trade-off between attack success rate and benign accuracy. Secondly, due to the small number of training samples, the dirty label or visible trigger in the support set can be easily detected by victims, which reduces the stealthiness of attacks. It seemed that FSL could survive from backdoor attacks. However, in this paper, we propose the Few-shot Learning Backdoor Attack (FLBA) to show that FSL can still be vulnerable to backdoor attacks. Specifically, we first generate a trigger to maximize the gap between poisoned and benign features. It enables the model to learn both benign and trigger features, which solves the problem of overfitting. To make it more stealthy, we hide the trigger by optimizing two types of imperceptible perturbation, namely attractive and repulsive perturbation, instead of attaching the trigger directly. Once we obtain the perturbations, we can poison all samples in the benign support set into a hidden poisoned support set and fine-tune the model on it. Our method demonstrates a high Attack Success Rate (ASR) in FSL tasks with different few-shot learning paradigms while preserving clean accuracy and maintaining stealthiness. This study reveals that few-shot learning still suffers from backdoor attacks, and its security should be given attention.

show abstract

BackdoorBox: A Python Toolbox for Backdoor Learning

Cited by 2 publications

References 13 publications

SCALE-UP: An Efficient Black-box Input-level Backdoor Detection via Analyzing Scaled Prediction Consistency

SCALE-UP: An Efficient Black-box Input-level Backdoor Detection via Analyzing Scaled Prediction Consistency

Does Few-Shot Learning Suffer from Backdoor Attacks?

Contact Info

Product

Resources

About