IBD-PSC: Input-level Backdoor Detection via Parameter-oriented Scaling Consistency
Authors: Linshan Hou, Ruili Feng, Zhongyun Hua, Wei Luo, Leo Yu Zhang, Yiming Li
ICML 2024 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Extensive experiments are conducted on benchmark datasets, verifying the effectiveness and efficiency of our IBD-PSC method and its resistance to adaptive attacks. |
| Researcher Affiliation | Collaboration | 1School of Computer Science and Technology, Harbin Institute of Technology, Shenzhen, China 2Alibaba Group, China 3University of Science and Technology of China, China 4School of Information Technology, Deakin University, Australia 5School of Information and Communication Technology, Griffith University, Australia 6Nanyang Technological University, Singapore. |
| Pseudocode | Yes | Algorithm 1 Adaptive layer selection. |
| Open Source Code | Yes | Codes are available at Backdoor Box. [...] These attacks are implemented using the Backdoor Box toolkit (Li et al., 2023a)1. 1https://github.com/THUYiming Li/Backdoor Box. [...] the corresponding codes and model checkpoints have been provided in the supplementary materials. |
| Open Datasets | Yes | We follow the settings in existing backdoor defenses and conduct experiments on CIFAR10 (Krizhevsky et al., 2009), GTSRB (Stallkamp et al., 2012) and a subset of Image Net dataset with 200 classes (dubbed Sub Image Net-200 ) (Deng et al., 2009) using the Res Net18 architecture (He et al., 2016a). |
| Dataset Splits | Yes | The training set comprises 50,000 images, while the test set contains 10,000 images, with an equal distribution across the ten classes. [...] The training set consists of 39,209 images, while the test set contains 12,630 images. [...] the subset includes 100,000 images from the original Image Net for training (500 images per class) and 10,000 images for testing (50 images per class). [...] Defenders can only access 100 benign samples as their local samples. |
| Hardware Specification | Yes | All experiments are performed on a server with the Ubuntu 16.04.6 LTS operating system, a 3.20GHz CPU, 2 NVIDIA s Ge Force GTX3090 GPUs with 62G RAM, and an 8TB hard disk. |
| Software Dependencies | No | The paper mentions using the "Backdoor Box toolkit" and states that defenses are implemented using "official codes with default settings." However, it does not provide specific version numbers for these tools or any underlying software libraries (e.g., Python, PyTorch, TensorFlow versions). |
| Experiment Setup | Yes | We adopt the standard training pipeline for developing backdoor models. This involves an SGD optimizer with a momentum of 0.9 and a weight decay of 10-4. The initial learning rate is set at 0.1, which is reduced to 10% of its previous value at the 50th and 75th epochs. The training comprises 200 epochs with a batch size of 128. [...] Specifically, we set ω = 1.5, n = 5, ϵ = 60%, and T = 0.9. |