Skip to content

Uooga/BackdoorBox

BranchesTags
 
 

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

216 Commits
core
core
 
 
tests
tests
 
 
.DS_Store
.DS_Store
 
 
.gitignore
.gitignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
example.py
example.py
 
 
requirements.txt
requirements.txt
 
 

Repository files navigation

BackdoorBox: A Python Toolbox for Backdoor Attacks and Defenses

Python 3.8 Pytorch 1.8.0 torchvision 0.9.0 CUDA 11.1 License GPL

Backdoor attacks are emerging yet critical threats in the training process of deep neural networks (DNNs), where the adversary intends to embed specific hidden backdoor into the models. The attacked DNNs will behave normally in predicting benign samples, whereas the predictions will be maliciously changed whenever the adversary-specified trigger patterns appear. Currently, there were many existing backdoor attacks and defenses. Although most of them were open-sourced, there is still no toolbox that can easily and flexibly implement and compare them simultaneously.

BackdoorBox is an open-sourced Python toolbox, aiming to implement representative and advanced backdoor attacks and defenses under a unified framework that can be used in a flexible manner. We will keep updating this toolbox to track the latest backdoor attacks and defenses.

Currently, this toolbox is still under development (but the attack parts are almost done) and there is no user manual yet. However, you can easily implement our provided methods by referring to the tests sub-folder to see the example codes of each implemented method. In particular, you are always welcome to contribute your backdoor attacks or defenses by pull requests!

Toolbox Characteristics

  • Consistency: Instead of implementing each method separately, we develop all methods in a unified manner. Specifically, variables having the same function have a consistent name. Similar methods inherit the same base class for further development, have a unified workflow, and have the same core sub-functions (e.g., get_model().
  • Simplicity: We provide code examples for each implemented backdoor attack and defense to explain how to use them, the definitions and default settings of all required attributes, and the necessary code comments. Users can easily implement and develop our toolbox.
  • Flexibility: We allow users to easily obtain important intermediate outputs and components of each method (e.g., poisoned dataset and attacked/repaired model), use their local samples and model structure for attacks and defenses, and interact with their local codes. The attack and defense modules can be used jointly or separately.
  • Co-development: All codes and developments are hosted on Github to facilitate collaboration. Currently, there are more than seven contributors have helped develop the code base and others have contributed to the code test. This developing paradigm facilitates rapid and comprehensive development and bug finding.

Current Status

Developed Methods

Backdoor Attacks

Method Source Key Properties Note
BadNets IEEE ACCESS, 2019 poison-only first backdoor attack
Blended Attack arXiv, 2017 poison-only, invisible first invisible attack
Refool (simplified version) ECCV, 2020 poison-only, sample-specific first stealthy attack with visible yet natural trigger
Label-consistent Attack arXiv, 2019 poison-only, invisible, clean-label first clean-label backdoor attack
ISSBA ICCV, 2021 poison-only, sample-specific, physical first poison-only sample-specific attack
WaNet ICLR, 2021 poison-only, invisible, sample-specific
Blind Backdoor (blended-based) USENIX Security, 2021 training-controlled first training-controlled attack targeting loss computation
Input-aware Dynamic Attack NeurIPS, 2020 training-controlled, optimized, sample-specific first training-controlled sample-specific attack
Physical Attack ICLR Workshop, 2021 training-controlled, physical first physical backdoor attack
LIRA ICCV, 2021 training-controlled, invisible, optimized, sample-specific

Note: For the convenience of users, all our implemented attacks support obtaining poisoned dataset (via .get_poisoned_dataset()), obtaining infected model (via .get_model()), and training with your own local samples (loaded via torchvision.datasets.DatasetFolder). Please refer to base.py and the attack's codes for more details.

Backdoor Defenses

  • ShrinkPad (Key Properties: Pre-processing-based Defense)
  • FineTuning (Key Properties: Model Repairing)
  • MCR (Key Properties: Model Repairing)

Methods Under Development

  • TUAP (basic version)
  • Sleeper Agent
  • NAD
  • Pruning
  • DBD
  • SS
  • ABL

Contributors

Organization Contributors
Tsinghua University Yiming Li, Mengxi Ya, Guanhao Gan, Kuofeng Gao, Xin Yan, Jia Xu, Tong Xu, Sheng Yang, Haoxiang Zhong, Linghui Zhu, Yang Bai

Citation

If our toolbox is useful for your research, please cite our paper(s) as follows:

@article{li2022backdoorbox,
  title={{BackdoorBox}: A Python Toolbox for Backdoor Learning},
  author={Li, Yiming and Ya, Mengxi and Bai, Yang and Jiang, Yong and Xia, Shu-Tao},
  year={2022}
}

@article{li2020backdoor,
  title={Backdoor Learning: A Survey},
  author={Li, Yiming and Jiang, Yong and Li, Zhifeng and Xia, Shu-Tao},
  journal={arXiv preprint arXiv:2007.08745},
  year={2020}
}

About

for TUAP

Resources

Readme

License

GPL-2.0 license
Activity

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

No packages published

Languages

  • Python 98.6%
  • Jupyter Notebook 1.4%