vinairesearch / warping-based_backdoor_attack-release Goto Github PK

Hi! Thanks for your sharing! This attack is cool!

Have you tested whether the attack is still effective after using 5% of clean data to fintune the backdoor model?
I finetune the backdoor model on the 5% clean training data for 10 epochs using the SGD optimizer. According to the results, it can be seen that this strategy is defensive against wanet. Have you tested it? The pretrained model that you provided is used.

According to the definition of all-to-all in the paper “WaNet - Imperceptible Warping-based Backdoor Attack”

which is all-to-all: c(y) = (y + 1) % |C|
However, in your code train.py , the all-to-all attack modifies the labels as: c(y) = y % |C|
The specific code is (Lines 82 to 83 in train.py):

Is there something wrong here?
should it be modified to:
targets_bd = torch.remainder(targets[:num_bd] + 1, opt.num_classes)

Is there a way in which I can access/download trojan or triggered image generated by the algorithm? If Yes how? or if there is a link I can download from.

Thanks for your great work.I have a question about grid_temps.After grid_temps is initialized, it has not changed, because it has not been optimized, so the perturbation is the same for every data?

Hi,

Thanks for sharing the code.

I am trying to reproduce the results in the paper WaNet - Imperceptible Warping-based Backdoor Attack that evade the Neural Cleanse defense. I am using the GTSRB dataset. I download the model and dataset according to the instructions in README. When I run Neural Cleanse on the downloaded model, I get an anomaly index larger than 2 (even greater than 4), which means the trained model is still considered to be backdoored. I tested it for 10 times and got the same result.

Is there anything not configured properly? Would you be able to take a look? I'd really appreciate it.

I'm sorry, I have some questions to ask.

In the WaNet paper, it is mentioned that attackers can control the model's training process, but WaNet seems to only require poisoning of the training set (by mixing "attack" and "noise" samples into the training set) to complete the attack. So, is WaNet a poisoning attack or an attack that controls the training process?

I also noticed that in the WaNet code, when generating poisoned samples, it selects num_bd+num_cross clean samples from each batch in the dataloader. However, the shuffle parameter in the dataloader is set to True, which means that the order of batches will be shuffled in each epoch, so the first num_bd+num_cross clean samples in each epoch are not the same, resulting in different sets of poisoned samples generated in each epoch. If a fixed set of poisoned samples is selected for each epoch, would the WaNet attack still be effective?

Looking forward to your reply!

Hi, thank you for the great work!
I was trying to understand the functions in train.py, I was wondering what is the purpose of input_cross and the meaning of cross-ratio?
It looks like images have been applied to different warping functions, Is the difference between input_cross and input_bd equal to "attack" and "noise" mode in the paper?
Thanks again!

All of the pretrained model you provide have anomaly index smaller than 2 in Neural Cleanse. However, when I train more backdoor models with default setting on mnist, cifar10 and gtsrb and test the detection of NC, only models on mnist have small anomaly index, models on cifar10 and gtsrb have anomaly index larger than 3(on average). Is there any trick to train the backdoor model?

Thanks for your answers. For the first question before, I find that I didn't download the latest version of the code. But I still have some questions about https://github.com/VinAIResearch/Warping-based_Backdoor_Attack-release/tree/main/defenses/fine_pruning/fine-pruning-celeba.py

1. https://github.com/VinAIResearch/Warping-based_Backdoor_Attack-release/blob/main/defenses/fine_pruning/fine-pruning-celeba.py#L83 opt.input_width is not assigned.
2. When I apply the fine_pruning method in ResNet50, I find that I have to redefine the last bn layer with code nn.BatchNorm2d(pruning_mask.shape[0] - num_pruned) and then load the bn's params data in the way of https://github.com/VinAIResearch/Warping-based_Backdoor_Attack-release/blob/main/defenses/fine_pruning/fine-pruning-celeba.py#L150](url). Otherwise, the output of redefined last conv layer doesn't match the dimension of input of the last bn layer. Finally before using net_pruned in the eval function, I used net_pruned.eval() to fix params of the redefined last bn layer.(The Resnet50 which I used is torchvision.models.resnet50(), so the dimension of the concrete layer may be different, but I think redefining bn layer perhaps is also needed in your code)

First, thanks for your sharing. But I find that the model Resnet18 doesn't have the parameter ind. What's more, layer4.bn2 layer does not modify the number of input channels while layer4[1].conv2 has been changed. Is that OK? Or I dismiss something? Looking forward to your reply