REFINE: Inversion-Free Backdoor Defense via Model Reprogramming
Authors: Yukun Chen, Shuo Shao, Enhao Huang, Yiming Li, Pin-Yu Chen, Zhan Qin, Kui Ren
ICLR 2025 | Venue PDF | Archive PDF | Plain Text | LLM Run Details
| Reproducibility Variable | Result | LLM Response |
|---|---|---|
| Research Type | Experimental | In this section, we evaluate the effectiveness of our REFINE compared with different existing backdoor defenses. We also conduct an ablation study and evaluate the resistance to potential adaptive attacks. The analysis of the overhead of REFINE is in Appendix F and the implementation of REFINE in the black-box scenario is in Appendix E. |
| Researcher Affiliation | Collaboration | 1 State Key Laboratory of Blockchain and Data Security, Zhejiang University 2 Hangzhou High-Tech Zone (Binjiang) Institute of Blockchain and Data Security 3 Nanyang Technological University 4 IBM Research EMAIL; EMAIL; EMAIL |
| Pseudocode | Yes | The pseudo-code of our REFINE optimization process is shown in Algorithm 1. |
| Open Source Code | Yes | Our code is available at https://github.com/Whitolf Chen/REFINE and Backdoor Box. |
| Open Datasets | Yes | We conduct experiments on two classical benchmark datasets, including CIFAR-10 (Krizhevsky et al., 2009) and (a subset of) Image Net (Deng et al., 2009) containing 50 classes. |
| Dataset Splits | Yes | The CIFAR-10 dataset (Krizhevsky et al., 2009) contains 50,000 training samples and 10,000 testing samples in total. The dataset has 10 classes and each class has 5,000 training samples and 1,000 testing samples. Tbe size of each image sample is 3 × 32 × 32. (2) Image Net. The Image Net dataset (Deng et al., 2009) consists of 1,000 classes containing over 14 million manually annotated images. In this paper, we select a subset with 50 different classes and each class contains 500 training samples and 100 testing samples with size 3 × 224 × 224. |
| Hardware Specification | Yes | In our implementations, we utilize Py Torch as the deep learning framework. All our experiments are implemented with RTX 3090 GPUs. |
| Software Dependencies | No | In our implementations, we utilize Py Torch as the deep learning framework. All our experiments are implemented with RTX 3090 GPUs. The paper mentions Py Torch but does not specify a version number. |
| Experiment Setup | Yes | Details of Training Backdoored Models. We utilize the SGD with a momentum of 0.9 and a weight decay of 5 × 10−4 as the optimizer for training all backdoored DNNs. The batch size is set to 128 on both of CIFAR-10 and Image Net. We set the initial learning rate as 0.1 and train all models for 150 epochs, with the learning rate reduced by a factor of 0.1 at the 100-th and 130-th epoch. Details of Optimization. For training the input transformation module, we employ SGD with a momentum of 0.9 and a weight decay of 5 × 10−4 as the optimizer. The initial learning rate is set to 0.01, and the batch size is set to 256 for CIFAR-10 and 64 for Image Net. The input transformation module is trained for 150 epochs, with the learning rate decayed by a factor of 0.8 at the 100-th and 130-th epochs. For the training loss function, we set the temperature parameter as 0.1. |