Home

Awesome

Just How Toxic is Data Poisoning? A Unified Benchmark for Backdoor and Data Poisoning Attacks

Updated to include new benchmarks on TinyImageNet dataset (November 2020)

This repository is the official implementation of Just How Toxic is Data Poisoning? A Unified Benchmark for Backdoor and Data Poisoning Attacks.

CIFAR-10

Transfer Learning
AttackWhite-box (%)Black-box (%)
Feature Collision22.07.0
Convex Polytope33.07.0
Bullseye Polytope85.08.5
Clean Label Backdoor5.06.5
Hidden Trigger Backdoor10.09.5
From Scratch Training
AttackResNet-18 (%)MobileNetV2 (%)VGG11 (%)Average (%)
Feature Collision0131.33
Convex Polytope0110.67
Bullseye Polytope3312.33
Witches' Brew4525826.00
Clean Label Backdoor0121.00
Hidden Trigger Backdoor0412.67

TinyImageNet

Transfer Learning
AttackWhite-box (%)Black-box (%)
Feature Collision49.032.0
Convex Polytope14.01.0
Bullseye Polytope100.010.5
Clean Label Backdoor3.01.0
Hidden Trigger Backdoor3.00.5
From Scratch Training
AttackVGG11 (%)
Feature Collision4
Convex Polytope0
Bullseye Polytope44
Witches' Brew32
Clean Label Backdoor0
Hidden Trigger Backdoor0
For more information on each attack consult our paper and the original sources listed there.

Getting Started:

Requirements

To install requirements:

pip install -r requirements.txt

Then download the TinyImageNet Dataset. (Additionally available on our drive). In learning_module.py, change the line

TINYIMAGENET_ROOT = "/fs/cml-datasets/tiny_imagenet"

accordingly, to point to the unzipped TinyImageNet directory. (It is left in this repo to match our filesystem, and will likely not work with yours.)

Pre-trained Models

Pre-trained checkpoints used in this benchmark can be downloaded from here. They should be copied into the pretrained_models folder (which is empty until downloaded models are added).


Testing

To test a model, run:

python test_model.py --model <model> --model_path <path_to_model_file> 

See the code for additional optional arguments.

Crafting Poisons With Our Setups

See How To for full details and sample code.

Evaluating A Single Batch of Poison Examples

We have left one sample folder of poisons in poison_examples.

python poison_test.py --model <model> --model_path <model_path> --poisons_path <path_to_poisons_dir>

This allows users to test their poisons in a variety of settings, not only the benchmark setups. See the file poison_test.py for a comprehensive list of arguments.

Benchmarking A Backdoor or Triggerless Attack

To compute benchmark scores, craft 100 batches of poisons using the setup pickles (for transfer learning: poison_setups_transfer_learning.pickle, for from-scratch training: poison_setups_from_scratch.pickle), and run the following.

Important Note: In order to be on the leaderboard, new submissions must host their poisoned datasets online for public access, so results can be corroborated without producing new poisons. Consider a Dropbox or GoogleDrive folder with all 100 batches of poisons.

For one trial of transfer learning poisons:

python benchmark_test.py --poisons_path <path_to_poison_directory>  --dataset <dataset>

For one trial of from-scratch training poisons:

python benchmark_test.py --poisons_path <path_to_poison_directory> --dataset <dataset> --from_scratch

To benchmark 100 batches of poisons, run

bash benchmark_all.sh <path_to_directory_with_100_batches> 

or

bash benchmark_all.sh <path_to_directory_with_100_batches> from_scratch