WaveAttack: Asymmetric Frequency Obfuscation-based Backdoor Attacks Against Deep Neural Networks
Authors: Jun Xia, Zhihao Yue, Yingbo Zhou, Zhiwei Ling, Yiyu Shi, Xian Wei, Mingsong Chen
NeurIPS 2024 | Conference PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Comprehensive experimental results show that, Wave Attack can not only achieve higher effectiveness than state-of-the-art backdoor attack methods, but also outperform them in the fidelity of images (i.e., by up to 28.27% improvement in PSNR, 1.61% improvement in SSIM, and 70.59% reduction in IS). Our code is available at https://github.com/Bilili Code/Wave Attack. |
| Researcher Affiliation | Academia | 1Mo E Eng. Research Center of SW/HW Co-design Tech. and App., East China Normal University 2Department of Computer Science and Engineering, University of Notre Dame {jxia, 51215902034, 52215902009, 51215902044}@stu.ecnu.edu.cn, yshi4@nd.edu, {xwei, mschen}@sei.ecnu.edu.cn |
| Pseudocode | Yes | Algorithm 1 Training of Wave Attack |
| Open Source Code | Yes | Our code is available at https://github.com/Bilili Code/Wave Attack. |
| Open Datasets | Yes | We evaluated all the attack methods on four well-known benchmark datasets, i.e., CIFAR-10 [31], CIFAR-100 [31], GTSRB [32] and a subset of Image Net (with the first 20 categories) [33]. |
| Dataset Splits | No | Table 6: Datasets Settings. Dataset Input Size Classes Training Images Test Images CIFAR-10 3 32 32 10 50000 10000 CIFAR-100 3 32 32 100 50000 10000 GTSRB 3 32 32 43 26640 12569 Image Net subset 3 224 224 20 26000 1000 |
| Hardware Specification | Yes | We conducted all experiments on a workstation with a 3.6GHz Intel i9 CPU, 32GB of memory, an NVIDIA Ge Force RTX3090 GPU, and a Ubuntu operating system. |
| Software Dependencies | No | We implemented Wave Attack using Pytorch and compared its performance with seven existing backdoor attack methods. |
| Experiment Setup | Yes | We used the SGD optimizer for training a classifier with a learning rate of 0.01, and the Adam optimizer for training a generator with a learning rate of 0.001. We decreased this learning rate by a factor of 10 after every 100 epochs. We considered various data augmentations, i.e., random crop and random horizontal flipping. For Bad Nets, we used a grid trigger placed in the bottom right corner of the image. For Blend, we applied a Hello Kitty trigger on CIFAR-10, CIFAR-100, and GTSRB datasets and used random noises on the Image Net dataset. For other attack methods, we used the default settings in their respective papers. Specifically, the poisoning rate is set to 10% with a target label of 0 to ensure a fair comparison. |