Comments (7)
Hi, Thanks for your interest in our work. To verify the effectiveness of NAD, you could finetune the backdoored student with/without the NAD loss, i.e. setting at1_loss, at2_loss, and at3_loss all to be non-zero/zero, and compare the ASR under two types of settings.
from nad.
from nad.
Thanks for providing the screenshot. It is clear to see that there achieves a better erasing result with NAD loss(ASR decreases to 3.78%, compared to the result without NAD loss). By the way, the selection of trigger types\teacher models\data augmentation techniques
also causes different erasing effects for distillation.
from nad.
But, when I run without NAD loss train code, there also have good results in ASR, so I think it is random results for the CE loss in the clean dataset, you can see the next pictures. Whether use the clean dataset to retrain the backdoor model is good enough to defend against the backdoor attack? Thank you.
from nad.
To be honest, It is not surprising that Fine-tuning can effectively erase BadNets attack; the erasing effect is probably attributed to the data augmentation techniques, i.e. Padding, flip, and cutout, as they are highly related to the original trigger pattern. You can change the param of Cutout
as 1 hole with a litter size 9 or 4 to verify this observation. By the way, I think the adaptive attacks
shown in Appendix K(Table 9)
in our paper will be beneficial to your understanding of our NAD.
from nad.
OK, thank you, which parameters in the code should I change to use the adaptive attacks in this code?
from nad.
The most simple case is that changing the location of the backdoor trigger (i.e. BadNets trigger) from the bottom-right to the center of the image.
from nad.
Related Issues (17)
- RuntimeError: view size is not compatible with input tensor's size and stride HOT 1
- The reproducibility of experiments in the paper HOT 2
- What config did you use to have the model return the activations? HOT 1
- Configuration HOT 1
- Why is normalization not applied in the data preprocessing? HOT 2
- Trojan trigger(/NAD/trigger/best_square_trigger_cifar10.npz) not effective HOT 2
- is it possible to transfer NAD to other models?( for example resnet18) HOT 3
- Wheather the so-called attebtion distillation machanism work? HOT 2
- A question when analyzing the code
- How to get the teacher model? HOT 3
- Do you provide the code to fine-tune the student model? HOT 5
- How to train CL and Refool backdoored model? HOT 1
- Results of BadNet and Fine-tuning HOT 10
- performance on GTSRB HOT 1
- How does the attention loss work HOT 1
- A few question HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from nad.