Data Free Backdoor Attacks
Authors: Bochuan Cao, Jinyuan Jia, Chuxuan Hu, Wenbo Guo, Zhen Xiang, Jinghui Chen, Bo Li, Dawn Song
NeurIPS 2024 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We conduct both theoretical and empirical evaluations for DFBA. Empirically, we evaluate DFBA on various models with different architectures trained from various benchmark datasets. We demonstrate that DFBA can achieve 100% attack success rates across all datasets and models while triggering only less than 3% accuracy loss on clean testing inputs. We also show that DFBA can bypass six state-of-the-art defenses. |
| Researcher Affiliation | Academia | 1The Pennsylvania State University 2University of Illinois at Urbana-Champaign 3University of California, Santa Barbara 4University of Georgia 5University of California Berkeley |
| Pseudocode | No | The paper includes figures visualizing concepts but does not contain a dedicated section or figure labeled 'Pseudocode' or 'Algorithm'. |
| Open Source Code | Yes | The code for our experiment can be found at https://github.com/AAAAAAsuka/Data Free_Backdoor_Attacks |
| Open Datasets | Yes | Datasets: We consider the following benchmark datasets: MNIST, Fashion-MNIST, CIFAR10, GTSRB, and Image Net. |
| Dataset Splits | No | The paper provides statistics for training and testing images for each dataset but does not explicitly mention a validation dataset split used in their own experimental setup. |
| Hardware Specification | Yes | We conducted all experiments on an NVIDIA A100 GPU, and the random seed for all experiments was set to 0. Our attack has the following parameters: threshold λ, amplification factor γ, and trigger size. Unless otherwise mentioned, we adopt the following default parameters: we set λ = 0.1. |
| Software Dependencies | No | The paper mentions general platforms like 'Tensor Flow Model Garden' and 'Hugging Face' but does not specify software dependencies like programming language or library versions (e.g., PyTorch version) used for the implementation. |
| Experiment Setup | Yes | Parameter settings: We conducted all experiments on an NVIDIA A100 GPU, and the random seed for all experiments was set to 0. Our attack has the following parameters: threshold λ, amplification factor γ, and trigger size. Unless otherwise mentioned, we adopt the following default parameters: we set λ = 0.1. Moreover, we set γ to satisfy λγL 1 = 100, where L is the total number of layers of a neural network. In Figure 7, we conduct an ablation study on λ and γ. We find that λ and γ could influence the utility of a classifier and attack effectiveness. When λ is small, our method would not influence utility. When γ is large, our attack could consistently achieve a high attack success rate. Thus, in practice, we could set a small λ and a large γ. We set the size of the backdoor trigger (in the bottom right corner) to 4 4 and the target class to 0 for all datasets. |