Comments (5)
And another thing is to add some naive transformation as defenses(rotation, random croping, brightness change). It seems these naive methods are very effective.
These defenses are effective when adding the mark is behind normal data transformations. However, when adding the mark is before normal data transformations #49, due to the generalization gain from data transformation, these defenses work not that well.
from trojanzoo.
The current Randomized Smoothing is a generic method, that we use the averaged logits of samples from Gaussian distribution as the prediction result. However, according to Certified Adversarial Robustness via Randomized Smoothing, it uses a vote mechanism to detect outliers. So it's not like a general mitigation method (such as adversarial training and MagNet), but a input detector like STRIP.
And another thing is to add some naive transformation as defenses(rotation, random croping, brightness change). It seems these naive methods are very effective.
Hi, Ren Pang,
thanks for your great efforts in this useful tools. In our work 'Rethinking the trigger of backdoor attack' (https://www.researchgate.net/publication/340541667_Rethinking_the_Trigger_of_Backdoor_Attack), we have done some explorations about the pre-processing based defenses. We found that spatial transformations (e.g., flipping, shrinking) are relatively effective against (most of) existing standard backdoor attacks. However, classical color shiftting methods (e.g., brightness, contrast) are far less effective, especially when the trigger is visible. Besides, transformations involved in the data augmentation process will decrease the effectiveness of those (pre-processing based) defenses to some extent. You can find more details from our paper :).
from trojanzoo.
@THUYimingLi I think I won't be able to add those spatial transformation methods recently...
And I will not change the order of adding marks as #49 illustrates. If adding the mark before the augmentation, the attacks will lose the watermark gradient information if they want to optimize them, which makes the current code structure not work.
from trojanzoo.
@THUYimingLi I think I won't be able to add those spatial transformation methods recently...
And I will not change the order of adding marks as #49 illustrates. If adding the mark before the augmentation, the attacks will lose the watermark gradient information if they want to optimize them, which makes the current code structure not work.
I understand your concerns. It is just some simple suggestions. :)
from trojanzoo.
@THUYimingLi I think I won't be able to add those spatial transformation methods recently...
And I will not change the order of adding marks as #49 illustrates. If adding the mark before the augmentation, the attacks will lose the watermark gradient information if they want to optimize them, which makes the current code structure not work.
@ain-soph , Hi, kornia has similar APIs with torchvisions.transforms
and supports differentiable data augmentations on GPUs, which makes it possible to integrate preprocessing into the training pipeline. Maybe you can try it if it's convenient.
from trojanzoo.
Related Issues (20)
- BackdoorAttack class has no argument for source_class HOT 1
- Low effective loading in get_class_subset function HOT 1
- Install newest version fail HOT 1
- Using a custom model HOT 4
- RuntimeError: Dataset not found or corrupted. You can use download=True to download it HOT 10
- Clean label attack accuracy is wrong HOT 5
- In new push model path is not working HOT 1
- badnet folder information HOT 1
- [Error] When I test Neural Cleanse i got a error HOT 2
- Is it possible to apply methods to graph? HOT 6
- Input aware dynamic backdoor error HOT 5
- trojanvision.datasets.ImageFolder HOT 1
- Possible bug: target_class not changed when computing ASR for reversed triggers HOT 2
- problem about saving the intermediate results and config problem HOT 6
- strange mark saved HOT 2
- Hyperparameters for training Resnet18 on CIFAR10? HOT 1
- STRIP implementation doesn't match original codebase HOT 1
- Attack saving and loading is not working HOT 2
- Comp version of networks HOT 2
- Unable to Access Triggered Dataset in BadNet Attack HOT 5
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from trojanzoo.