Transferable Clean-Label Poisoning Attacks on Deep Neural Nets
Authors: Chen Zhu, W. Ronny Huang, Hengduo Li, Gavin Taylor, Christoph Studer, Tom Goldstein
ICML 2019 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | We achieve transferable attack success rates of over 50% while poisoning only 1% of the training set. and 4. Experiments section. |
| Researcher Affiliation | Academia | 1University of Maryland, College Park 2United States Naval Academy 3Cornell University. Correspondence to: Chen Zhu <chenzhu@cs.umd.edu>, W. Ronny Huang <wronnyhuang@gmail.com>, Tom Goldstein <tomg@cs.umd.edu>. |
| Pseudocode | Yes | Algorithm 1 Convex Polytope Attack |
| Open Source Code | Yes | The code for the experiments is available at https://github.com/zhuchen03/Convex_Polytope_Posioning. |
| Open Datasets | Yes | In this section, all images come from the CIFAR10 dataset. If not explicitly specified, we take the first 4800 images from each of the 10 classes (a total of 48000 images) in the training set to pre-train the victim models and the substitute models (φ(i)). |
| Dataset Splits | No | The paper describes how different subsets of the CIFAR10 dataset are used for training, fine-tuning, and testing (e.g., 48000 images for pre-training, 500 images for fine-tuning), and mentions leaving the 'test set intact'. However, it does not explicitly provide specific percentages or counts for a standard train/validation/test split for the main experimental phases, nor does it refer to predefined splits with citations for all stages. |
| Hardware Specification | No | The paper does not provide specific details about the hardware used for running the experiments, such as GPU or CPU models, or memory specifications. |
| Software Dependencies | No | The paper mentions 'Adam (Kingma & Ba, 2014)' as an optimizer and implies the use of PyTorch through a cited GitHub repository ('pytorch-cifar') for training models. However, it does not specify version numbers for any of these software components (e.g., Python version, PyTorch version, Adam optimizer library version). |
| Experiment Setup | Yes | For all our experiments, we set ϵ = 0.1. We use Adam (Kingma & Ba, 2014) with a relatively large learning rate of 0.04 for crafting the poisons, since the networks have been trained to have small gradients on images similar to the training set. We perform no more than 4000 iterations on the poison perturbations in each experiment. [...] We train these models from scratch on the aforementioned 48000-image training set with Dropout probabilities of 0, 0.2, 0.25 and 0.3 [...] In the transfer learning setting [...] we use Adam with a large learning rate of 0.1 to overfit. In the end-to-end setting, we use Adam with a small learning rate of 10-4 to overfit. |