Anti-Backdoor Learning: Training Clean Models on Poisoned Data
Authors: Yige Li, Xixiang Lyu, Nodens Koren, Lingjuan Lyu, Bo Li, Xingjun Ma
NeurIPS 2021 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | Through extensive experiments on multiple benchmark datasets against 10 state-of-the-art attacks, we empirically show that ABL-trained models on backdoor-poisoned data achieve the same performance as they were trained on purely clean data. |
| Researcher Affiliation | Collaboration | Yige Li Xidian University EMAIL Xixiang Lyu Xidian University EMAIL Nodens Koren University of Copenhagen EMAIL Lingjuan Lyu Sony AI EMAIL Bo Li University of Illinois at Urbana Champaign EMAIL Xingjun Ma Fudan University danxjma@gmail |
| Pseudocode | No | The paper describes the ABL method in detail using text and mathematical equations, but it does not include a structured pseudocode or algorithm block. |
| Open Source Code | Yes | Code is available at https://github.com/bboylyg/ABL. |
| Open Datasets | Yes | All attacks are evaluated on three benchmark datasets, CIFAR-10 [40], GTSRB [41] and an Image Net subset [42] |
| Dataset Splits | No | The paper mentions evaluating on test sets and exploring different turning epochs, which would typically involve a validation set, but it does not explicitly state the dataset split percentages or sizes for training, validation, or test sets. |
| Hardware Specification | No | The paper does not provide specific details regarding the hardware used for experiments, such as GPU models, CPU types, or cloud computing specifications. |
| Software Dependencies | No | The paper does not provide specific version numbers for software dependencies or libraries used in the experiments. |
| Experiment Setup | Yes | For our ABL, we set T = 100, Tte = 20, γ = 0.5 and an isolation rate p = 0.01 (1%) in all experiments. The exploration of different Tte, γ, and isolation rates p are also provided in Section 4.1. Three data augmentation techniques suggested in [10] including random crop (padding = 4), horizontal flipping, and cutout, are applied for all defense methods. |