- This is the PyTorch implementation for IEEE S&P 2024 paper "Exploring the Orthogonality and Linearity of Backdoor Attacks".
- Python >= 3.7.13
- PyTorch >= 1.12.0
- TorchVision >= 0.13.0
# Create python environment (optional)
conda env create -f environment.yml
conda activate orth
In our paper, we formalize backdoor learning as a two-task continual learning problem: 1). an initial rapid learning phase of the backdoor task within a few training epochs, followed by 2). a subsequent phase of gradually learning over the clean task.
CIFAR10 Training with BadNet |
CIFAR10 Training with Blend |
CIFAR10 Training with WaNet |
We provide the code to demonstrate the observation in the plot
folder. You can run the following command to plot the results to observe
python plot_training.py badnet
There are two functions: eval_orthogonal
and eval_linear
in eval_orthogonality.py
and eval_linearity.py
respectively. You can use these functions to evaluate the orthogonality and linearity of your model.
You can evaluate the orthogonality of your model by running the following command. You can also evaluate the orthogonality of your model at a specific epoch.
CUDA_VISIBLE_DIVICES=0 python eval_orthogonality.py --attack badnet --dataset cifar10 --network resnet18 --suffix _epoch_10
CUDA_VISIBLE_DIVICES=0 python eval_orthogonality.py --attack badnet --dataset cifar10 --network resnet18
The suffix is optional. If you want to evaluate the orthogonality of the model at a specific epoch, you can add the suffix. For example, --suffix _epoch_10
will evaluate the orthogonality of the model at epoch 10. If you do not specify the suffix, the code will evaluate the orthogonality of the model at the last epoch.
You can evaluate the linearity of your model by running the following command. You can also evaluate the linearity of your model.
CUDA_VISIBLE_DIVICES=0 python eval_linearity.py --attack badnet --dataset cifar10 --network resnet18 --suffix _epoch_10
CUDA_VISIBLE_DIVICES=0 python eval_linearity.py --attack badnet --dataset cifar10 --network resnet18
The suffix is optional. If you want to evaluate the linearity of the model at a specific epoch, you can add the suffix. For example, --suffix _epoch_10
will evaluate the linearity of the model at epoch 10. If you do not specify the suffix, the code will evaluate the linearity of the model at the last epoch.
We provide the necesarry ckpts in the ckpt
folder. If you want to train the model from scratch, you can run the following command.
CUDA_VISIBLE_DEVICES=0 python evaluate.py --dataset ${dataset} --network ${network} --phase xx
The --phase
can be train
or test
or poison
. The --dataset
can be cifar10
or gtsrb
. The --network
can be resnet18
(in cifar10
), and wrn
(in gtsrb
).
We evaluate on 14 attacks and 12 defenses. We divide the 12 defenses into three categories: Model Detection (model_detection
folder), Backdoor Mitigation (backdoor_mitigation
folder) and Input Detection (input_detection
folder). You can run the code as following.
CUDA_VISIBLE_DEVICES=0 python xx.py --dataset ${dataset} --network ${network} --phase ${phase} --attack ${attack}
In the above commond line, xx.py
can be model_detection.py
or backdoor_mitigation.py
or input_detection.py
; --dataset
: cifar10
or gtsrb
; --network
: resnet18
(in cifar10
), and wrn
(in gtsrb
); --phase
can be nc, pixel, abs, fineprune, nad, anp, seam, ac, ss, spectre, scan
; --attack
can be clean badnet trojnn dynamic inputaware reflection blend sig filter dfst wanet invisible lira composite
-
Model Detection
Take
cifar10
as an example, you can run as the following command to evaluate the defense methodsnc
(inmodel_detection
category) against thebadnet
attack:CUDA_VISIBLE_DEVICES=0 python model_detection.py --dataset cifar10 --network resnet18 --phase nc --attack badnet
-
Backdoor Mitigation
Take
cifar10
as an example, you can run as the following command to evaluate the defense methodsfineprune
(inbackdoor_mitigation
category) against thebadnet
attack:CUDA_VISIBLE_DEVICES=0 python backdoor_mitigation.py --dataset cifar10 --network resnet18 --phase fineprune --attack badnet
Selective Amnesia: On Efficient, High-Fidelity and Blind Suppression of Backdoor Effects in Trojaned Machine Learning Models
runs as the following command:CUDA_VISIBLE_DEVICES=0 python seam.py --dataset cifar10 --network resnet18 --attack badnet
-
Input Detection
Take
cifar10
as an example, you can run as the following command to evaluate the defense methodsscan
(ininput_detection
category) against thebadnet
attack:CUDA_VISIBLE_DEVICES=0 python input_detection.py --dataset cifar10 --network resnet18 --phase scan --attack badnet
Please cite our work as follows for any purpose of usage.
@inproceedings{zhang2024exploring,
title={Exploring the Orthogonality and Linearity of Backdoor Attacks},
author={Zhang, Kaiyuan and Cheng, Siyuan and Shen, Guangyu and Tao, Guanhong and An, Shengwei and Makur, Anuran and Ma, Shiqing and Zhang, Xiangyu},
booktitle={2024 IEEE Symposium on Security and Privacy (SP)},
pages={225--225},
year={2024},
url = {https://doi.ieeecomputersociety.org/10.1109/SP54263.2024.00182},
organization={IEEE Computer Society}
}