Conditional Backdoor Attack via JPEG Compression
Authors: Qiuyu Duan, Zhongyun Hua, Qing Liao, Yushu Zhang, Leo Yu Zhang
AAAI 2024 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive experiments on the MNIST, GTSRB and Celeb A verify our attack s effectiveness, stealthiness and resistance to existing backdoor defenses and denoising operations. As a new triggering paradigm, the conditional backdoor attack brings a new angle for assessing the vulnerability of DNN models, and conditioned over JPEG compression magnifies its threat due to the universal usage of JPEG. |
| Researcher Affiliation | Academia | Qiuyu Duan1, Zhongyun Hua1,2*, Qing Liao1,2, Yushu Zhang3, Leo Yu Zhang4 1Harbin Institute of Technology, Shenzhen 2Guangdong Provincial Key Laboratory of Novel Security Intelligence Technologies 3Nanjing University of Aeronautics and Astronautics 4Griffith University duanqy39@gmail.com, {huazhongyun, liaoqing}@hit.edu.cn, yushu@nuaa.edu.cn, leo.zhang@griffith.edu.au |
| Pseudocode | No | No explicit pseudocode or algorithm blocks are provided in the paper. |
| Open Source Code | No | No explicit statement or link for open-source code for the methodology described in this paper. |
| Open Datasets | Yes | Dataset. We conduct experiments on three classical image classification datasets: MNIST1, GTSRB and Celeb A. For Celeb A, following the settings of Wa Net (Nguyen and Tran 2021), we choose its top three most balanced attributes (i.e., Smiling, Mouth Slightly Open and Heavy Makeup) and then concatenate them to build eight classification classes. The classifier f is also set to the same settings as Wa Net. Specifically, we use Pre-activation Resnet-18 for GTSRB, Resnet18 for Celeb A, and a 5-Layer CNN model for MNIST. The details of the datasets and classifiers can be found in supplementary material. |
| Dataset Splits | No | The paper does not explicitly state the training/validation/test split percentages or counts for the datasets. |
| Hardware Specification | No | No specific hardware (GPU/CPU models, memory) used for running experiments is mentioned in the paper. |
| Software Dependencies | No | No specific software dependencies with version numbers are provided in the paper. |
| Experiment Setup | Yes | We use Pre-activation Resnet-18 for GTSRB, Resnet18 for Celeb A, and a 5-Layer CNN model for MNIST. The details of the datasets and classifiers can be found in supplementary material. Compared Backdoor Attacks. As the first conditional backdoor attack, there are no other attacks with the same triggering paradigm to compare. Thus, we chose Bad Nets (Gu et al. 2019), Wa Net, Bpp Attack (Wang, Zhai, and Ma 2022), and FTrojan (Wang et al. 2022) as baselines, as they, like ours, rely on poisoning training data and require the properties of effectiveness, stealthiness, and robustness. Bad Nets is a classic and commonly used baseline. Wa Net and Bpp Attack and FTrojan, we directly use their source codes and reported hyperparameters. Evaluation Metrics. We use two widely used metrics to evaluate the effectiveness of different attacks: Benign Accuracy (BA) and Attack Success Rate (ASR). ... The defense s performance over 100 rounds on our attack is shown in Table 3. Although I-BAU eliminates backdoors in many existing attacks within a single round, as stated in the original work, our attack maintains a high ASR (> 80%) even after 100 rounds, indicating I-BAU s limited resilience against our attack. |