Incompatibility Clustering as a Defense Against Backdoor Poisoning Attacks
Authors: Charles Jin, Melinda Sun, Martin Rinard
ICLR 2023 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Our evaluation focuses on backdoor attacks against deep neural networks trained to perform image classification using the GTSRB and CIFAR-10 datasets. Our results show that (1) these attacks produce poisoned datasets in which the poisoned and clean data are incompatible and (2) our technique successfully identifies (and removes) the poisoned data. In an end-to-end evaluation, our defense reduces the attack success rate to below 1% on 134 out of 165 scenarios, with only a 2% drop in clean accuracy on CIFAR-10 and a negligible drop in clean accuracy on GTSRB. |
| Researcher Affiliation | Academia | Charles Jin CSAIL MIT Cambridge, MA 02139 ccj@csail.mit.edu Melinda Sun MIT Cambridge, MA 02139 mmsun@mit.edu Martin Rinard CSAIL MIT Cambridge, MA 02139 rinard@csail.mit.edu |
| Pseudocode | Yes | Algorithm 1 Inverse Self-Paced Learning; Algorithm 2 Boosting Homogeneous Sets |
| Open Source Code | Yes | We have open sourced our implementation at https://github.com/charlesjin/ compatibility_clustering/. |
| Open Datasets | Yes | Our evaluation focuses on backdoor attacks against deep neural networks trained to perform image classification using the GTSRB and CIFAR-10 datasets. We use the CIFAR-10 dataset (Krizhevsky & Hinton, 2009)... and the GTSRB dataset (Stallkamp et al., 2012)... |
| Dataset Splits | No | The paper specifies training and test data sizes (e.g., '5000 training and 1000 test images each' for CIFAR-10), but it does not explicitly detail the split for a distinct validation set used for hyperparameter tuning or early stopping. |
| Hardware Specification | No | The paper describes the model architectures (e.g., 'Pre Act Res Net-18 architecture', 'Res Net32 model') and training parameters, but it does not specify any details about the hardware (e.g., CPU, GPU models, memory) used to run the experiments. |
| Software Dependencies | No | The paper mentions software like 'Py Torch' and 'Tensorflow 1.x' (implicitly through comparison in Appendix C) but does not provide specific version numbers for these or any other ancillary software components, which is required for reproducible description. |
| Experiment Setup | Yes | For CIFAR-10, we run 8 rounds of ISPL... annealing schedule 1 β0 ... βN = βmin > 0, expansion α 1, momentum η [0, 1], learning algorithm A, initial parameters θ0... The expansion factor α is set to 1/4, and the momentum factor η is set to 0.9... For the learning procedure A, we use standard SGD, trained for 4 epochs per iteration, with a warm-up in the first iteration of 8 epochs... Each subset s vote is weighted by its size. We run ISPL 3 times to generate 24 weak learners for CIFAR-10, and 12 weak learners for GTSRB. For the boosting framework, each weak learner is trained for 40 epochs on its respective subset... For CIFAR-10, we also include a final self-training step by training a fresh model for 100 epochs on the recovered samples... For the Pre Act Res Net18 (He et al., 2016b) model, we use vanilla SGD with learning rate 0.02, momentum 0.9, and weight decay 5e-4. For the final dataset, we train for 100 epochs (unless otherwise noted) and drop the learning rate by 10 at epochs 50, 75, and 90. |