BaDExpert: Extracting Backdoor Functionality for Accurate Backdoor Input Detection
Authors: Tinghao Xie, Xiangyu Qi, Ping He, Yiming Li, Jiachen T. Wang, Prateek Mittal
ICLR 2024 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | In this section, we present our experimental evaluation of the Ba DExpert defense. We first introduce our experiment setup in Sec 4.1, and demonstrate our primary results on CIFAR10 in Sec 4.2 (similar results on GTSRB deferred to Appendix C.1), followed by detailed ablation studies of Ba DExpert s key design components. |
| Researcher Affiliation | Academia | Tinghao Xie1, Xiangyu Qi1 Ping He2 Yiming Li2, Jiachen T. Wang1 Prateek Mittal1, 1Princeton University 2Zhejiang University |
| Pseudocode | Yes | Algorithm 1 Backdoor Functionality Extraction Input: Reserved Small Clean Set Dc, Backdoor Model M, Learning Rate η, Number of Iteration m Output: Backdoor Expert B |
| Open Source Code | Yes | Our code is integrated into our research toolbox: https://github.com/vtu81/backdoor-toolbox. |
| Open Datasets | Yes | Our primary experiment focuses on two widely benchmarked image datasets in backdoor literature, CIFAR10 (Krizhevsky, 2012) (Sec 4.2) and GTSRB (Stallkamp et al., 2012) (deferred to Appendix C.1). We demonstrate the equivalently successful effectiveness of Ba DExpert on a representative large scale dataset, 1000-class Image Net Deng et al. (2009) |
| Dataset Splits | Yes | Following prior works (Li et al., 2021b; Tao et al., 2022; Qi et al., 2023b), the defender has access to a small reserved clean set Dc. ... In our defense pipeline, we assume a small reserved clean set Dc (default to 5% size of the training dataset in the primary experiment, i.e., 2, 000 samples) to construct both B and M. |
| Hardware Specification | Yes | We run all experiments on a 4-rack cluster equipped with 2.8 GHz Intel Ice Lake CPUs and Nvidia A100 GPUs. |
| Software Dependencies | No | The paper mentions using 'Adam optimizer' and 'SGD optimizer' and general frameworks implied by the task (DNNs, PyTorch/TensorFlow likely), but does not specify software versions for libraries, frameworks, or programming languages (e.g., 'Python 3.x', 'PyTorch 1.x', 'CUDA 11.x'). |
| Experiment Setup | Yes | During unlearning (Alg 1), we select a small while effective (un)learning rate η. For our major experiments on Res Net18, η = 10 4 for CIFAR10 and η = 2.5 10 5 for GTSRB. As for other architectures (CIFAR10), η = 8 10 5 for VGG16, η = 8 10 5 for Mobile Net V2, and η = 10 2 for Res Net110 (SRA attack). On Image Net, η = 10 4 for Res Net18 and Res Net101, and η = 10 6 for pretrained vit_b_16 (IMAGENET1K_SWAG_LINEAR_V1 version). We conduct unlearning using Adam optimizer for only 1 epoch, with a batch size of 128. |