Bucks for Buckets (B4B): Active Defenses Against Stealing Encoders
Authors: Jan Dubiński, Stanisław Pawlak, Franziska Boenisch, Tomasz Trzcinski, Adam Dziedzic
NeurIPS 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | 4 Empirical Evaluation, Experimental Setup. We conduct experiments on various kinds of downstream tasks and two popular SSL encoders. To test our defense, we use Fashion MNIST, SVHN, STL10, and CIFAR10 as our downstream datasets, each with standard train and test splits. |
| Researcher Affiliation | Collaboration | 1Warsaw University of Technology 2IDEAS NCBR 3Tooploox 4CISPA Helmholtz Center for Information Security |
| Pseudocode | No | The paper provides conceptual diagrams (e.g., Figure 1) but does not include structured pseudocode or algorithm blocks. |
| Open Source Code | Yes | Code available at https://github.com/stapaw/b4b-active-encoder-defense |
| Open Datasets | Yes | CIFAR10 [28]: The CIFAR10 dataset consists of 32x32 colored images with 10 classes. There are 50000 training images and 10000 test images. Image Net[15]: Larger sized coloured images with 1000 classes. As is commonly done, we resize all images to be of size 224x224. There are approximately 1 million training images and 50000 test images. LAION-5B [35] The LAION-5B dataset consists of 5,85 billion CLIP-filtered image-text pairs. The dataset was crawled from publically available internet. |
| Dataset Splits | No | To test our defense, we use Fashion MNIST, SVHN, STL10, and CIFAR10 as our downstream datasets, each with standard train and test splits. The paper mentions train and test splits, but does not explicitly provide a separate validation split for their experiments or refer to a standard validation split for these specific datasets in their setup. |
| Hardware Specification | Yes | The end-to-end experiments on stealing Sim Siam and Vi T DINO encoders were done using 3 A100 GPUs. Detailed experiments including mapping, transformations and the evaluation was performed using a single computer equipped with two Nvidia RTX 2080 Ti GPUs. |
| Software Dependencies | No | The paper mentions using Sim Siam and DINO frameworks and implementing LSH from scratch using random projections, but does not provide specific version numbers for any software libraries, frameworks, or dependencies. |
| Experiment Setup | Yes | As our victim encoders, we use the publicly available Res Net50 model from Sim Siam trained for 100 epochs on Image Net and the Vi T Small DINO encoder trained for 800 epochs on Image Net, each using batch size 256. ... For B4B, we aim at penalizing high embedding space coverage severely. ... we consider σ = 1 as a high penalty, which leads to α = 1, and select β = 0.8. ... Finally, to obtain a flat cost curve close to the origin which serves to map small fractions of covered buckets to small costs we find that we can set λ = 10 6. |