Defending Backdoor Attacks on Vision Transformer via Patch Processing
Authors: Khoa D. Doan, Yingjie Lao, Peng Yang, Ping Li
AAAI 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | The performances are evaluated on several benchmark datasets, including CIFAR10, GTSRB, and Tiny Image Net, which show the proposed defense is very successful in mitigating backdoor attacks for Vi Ts. |
| Researcher Affiliation | Collaboration | Khoa D. Doan1, Yingjie Lao2, Peng Yang3, Ping Li4 1College of Engineering and Computer Science, Vin University 2Electrical and Computer Engineering, Clemson University, Clemson, SC 29634, USA 3Meta Corporation, Bellevue, WA 98004, USA 4Linked In Corporation, Bellevue, WA 98004, USA |
| Pseudocode | Yes | Algorithm 1: Patch Processing-based Backdoor Detection |
| Open Source Code | No | The paper does not include any explicit statement or link indicating that the source code for the described methodology is publicly available. |
| Open Datasets | Yes | The performances are evaluated on several benchmark datasets, including CIFAR10, GTSRB, and Tiny Image Net, which show the proposed defense is very successful in mitigating backdoor attacks for Vi Ts. |
| Dataset Splits | Yes | Our defense mechanism only requires access to a small set of K clean samples (less than 1000 on the studied datasets), which can be easily obtained from the held-out validation dataset, for selecting the threshold. |
| Hardware Specification | No | The paper does not provide specific details about the hardware used for running the experiments (e.g., GPU models, CPU types). |
| Software Dependencies | No | The paper does not provide specific version numbers for software dependencies or libraries used in the experiments. |
| Experiment Setup | Yes | Note that the models are pretrained on Image Net-21k and fine-tuned on the corresponding dataset to ensure a consistent experimentation framework. ... training the model for 50 epochs in step (i) is sufficient for the backdoor to be inserted into the model if the training dataset is poisoned and for the clean-data accuracy to reach an acceptable performance compared to its optimal value (a few percents difference, e.g., > 90% in CIFAR10). |