Backdoor Contrastive Learning via Bi-level Trigger Optimization
Authors: Weiyu Sun, Xinyu Zhang, Hao LU, Ying-Cong Chen, Ting Wang, Jinghui Chen, Lu Lin
ICLR 2024 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive experiments show that our attack can achieve a higher attack success rate (e.g., 99% ASR on Image Net-100) with a very low poisoning rate (1%). Besides, our attack can effectively evade existing state-of-the-art defenses. |
| Researcher Affiliation | Academia | Weiyu Sun1, Xinyu Zhang1, Hao Lu2, Yingcong Chen2, Ting Wang3, Jinghui Chen4, Lu Lin4 1Nanjing University 2The Hong Kong University of Science and Technology 3Stony Brook University 4The Pennsylvania State University |
| Pseudocode | Yes | Algorithm 1 Bi-Level Trigger Optimization (BLTO) |
| Open Source Code | Yes | Code is available at: https://github.com/SWY666/SSL-backdoor-BLTO. |
| Open Datasets | Yes | Following prior works (Saha et al., 2022; Li et al., 2023), we verify our backdoor attack on three benchmark datasets: CIFAR-10/-100 (Krizhevsky, 2009), and Image Net-100. Among them, Image Net-100 is a randomly selected 100-class subset of the Image Net ILSVRC-2012 dataset (Deng et al., 2009). |
| Dataset Splits | Yes | when training the downstream predictor, following CTRL (Li et al., 2023), we use the clean CIFAR-10 training set as the downstream training set, and use the CIFAR-10 testing set for performance evaluation. ... We use the testing set in CIFAR-10/-100 and the validation set of Image Net-100 for performance evaluation. |
| Hardware Specification | No | The paper does not specify the hardware (e.g., GPU models, CPU types) used to run the experiments. It only mentions model architectures like ResNet-18, ResNet-34, etc. |
| Software Dependencies | No | The paper mentions "Pytorch version" and lists various Python/PyTorch-related augmentation transforms (e.g., T.Compose, T.Random Resized Crop) but does not provide specific version numbers for PyTorch or any other software dependencies. |
| Experiment Setup | Yes | The poisoning rate is set as P = 1% by default, meaning the attacker can poison 1% training data. ... The temperature (Wang & Liu, 2021) of the Info NCE (Oord et al., 2018) loss is 0.2. ... We train the feature extractor for 800 epoch... attacker uses batch size as 512, and a learning rate scheduler (base lr 0.03, final lr 0). ... The victim's queue length is set as 4096, batch size is 512, temperature τ is set as 0.1. |