BAN: Detecting Backdoors Activated by Adversarial Neuron Noise
Authors: Xiaoyun Xu, Zhuoran Liu, Stefanos Koffas, Shujian Yu, Stjepan Picek
NeurIPS 2024 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Experimental results demonstrate our defense, BAN, is 1.37 (on CIFAR-10) and 5.11 (on Image Net200) more efficient with an average 9.99% higher detect success rate than the state-of-the-art defense BTI-DBF. |
| Researcher Affiliation | Academia | Xiaoyun Xu Radboud University xiaoyun.xu@ru.nl Zhuoran Liu Radboud University z.liu@cs.ru.nl Stefanos Koffas Delft University of Technology s.koffas@tudelft.nl Shujian Yu Vrije Universiteit Amsterdam s.yu3@vu.nl Stjepan Picek Radboud University stjepan.picek@ru.nl |
| Pseudocode | No | The paper includes Figure 5, an "Illustrative diagram of BAN", which shows a pipeline, but not structured pseudocode or an algorithm block with numbered steps. |
| Open Source Code | Yes | Our code and trained models are publicly available at https://github.com/xiaoyunxxy/ban. |
| Open Datasets | Yes | The datasets for our experiments include CIFAR-10 [16], GTSRB [33], Tiny-Image Net [17], and a subset of Image Net-1K [7]. |
| Dataset Splits | Yes | Same to [41], we use 90% of training data for training backdoor models and 10% for the validation set. |
| Hardware Specification | Yes | Hardware. All experiments are run on a single machine with 4 RTX A6000 (48GB) and 4 RTX A5000 (24GB) GPUs, CUDA 12.0. |
| Software Dependencies | No | The paper mentions "CUDA 12.0" but does not specify programming languages (e.g., Python) or core ML libraries (e.g., PyTorch, TensorFlow) with version numbers. |
| Experiment Setup | Yes | For all backdoored models, we use SGD with a momentum of 0.9, weight decay of 5 10 4, and a learning rate of 0.01. We train for 200 epochs, and the learning rate is divided by 10 at the 100-th and 150-th epochs. (...) We use epsilon (ϵ) to limit the noise added to neurons. The ϵ values are 0.3, 0.3, 0.2, and 0.1 for CIFAR-10, GTSRB, Tiny-Image Net, and Image Net200, respectively. We use the 30-step PGD algorithm to solve the optimization in Eq. (4) to find the noise, i.e., δ and ξ. We use SGD and the learning rate of ϵ/30 for the PGD optimization. Then, we use Adam and the learning rate of 0.01 to search for 20 epochs for the feature mask using Eq. (5). The λ1 for Eq. (5) equals 0.75. (...) we only use 5% of training data and 25 epochs for our fine-tuning. The trade-off hyperparameter (λ2) is 0.5. We use SGD with momentum=0.9, weight decay=5e-4, and learning rate=0.005 as the optimizer. |