Black-box Backdoor Defense via Zero-shot Image Purification
Authors: Yucheng Shi, Mengnan Du, Xuansheng Wu, Zihan Guan, Jin Sun, Ninghao Liu
NeurIPS 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We evaluate our ZIP framework on multiple datasets with different types of attacks. Experimental results demonstrate the superiority of our ZIP framework compared to state-of-the-art backdoor defense baselines. |
| Researcher Affiliation | Academia | 1School of Computing, University of Georgia 2Department of Data Science, New Jersey Institute of Technology |
| Pseudocode | Yes | Algorithm 1 Zero-shot Image Purification; Algorithm 2 Zero-shot Image Purification (based on DDIM) |
| Open Source Code | Yes | Our code is available at https://github.com/sycny/ZIP. |
| Open Datasets | Yes | We evaluate the effectiveness of our defense framework ZIP on three datasets: CIFAR-10 [30], GTSRB [52], and Imagenette [24]. |
| Dataset Splits | Yes | The dataset is divided into 50,000 training images and 10,000 test images, with a balanced distribution of classes. (CIFAR-10) The dataset is split into training and validation sets, following a predefined split ratio. (Imagenette) |
| Hardware Specification | Yes | To evaluate the purification speed, we conduct experiments using a workstation that features an Intel(R) Core(TM) i9-10900X CPU and an NVIDIA RTX3070 GPU with 8GB of memory. |
| Software Dependencies | No | The paper mentions using a 'pre-trained model provided by Open AI [9] under the MIT license' and implementing 'backdoor attacks using the Backdoorbox framework [33]', but it does not specify version numbers for general software dependencies like Python, PyTorch, or other libraries. |
| Experiment Setup | Yes | In our implementation, we set the poisoned rate to 5%... The trigger pattern size is set to 2x2 for 32x32 pixels images and 9x9 for 256x256 pixels images. The trigger patterns are randomly generated. (Bad Net) Following the suggestion in Backdoor Box, we set the blended rate to 0.2 and the poisoned rate to 5%. (Blended) We set the hyperparameter λ to a value of 2 for Blended attack defense, and 10 for Bad Net and Physical BA attack defense. (Purification Implementation) |