Giter VIP home page Giter VIP logo

Comments (3)

mdzhangst avatar mdzhangst commented on July 22, 2024

Hello WhoDunnett.
Thank you very much for your question. We have tested more models in the benchmark, and the threshold/number of these additional models is not given explicit criterion selection in the original ANP. To prevent the model acc from dropping too much, we used the test that acc should not drop more than a certain percentage, rather than the difference between acc and asr, which is also used in the fine-pruning method in Section 2.2 of Fine-Pruning: Defending Against Backdooring Attacks
on Deep Neural Networks. At the same time, we have provided a parameter to determine pruning amplitude directly, simply by entering the pruning_number parameter at runtime.

from backdoorbench.

WhoDunnett avatar WhoDunnett commented on July 22, 2024

Hi mdzhangst,

Thank you for getting back to me. I agree that the use of a percentage drop is needed given that the original ANP paper is vague about the stopping criteria. However, I think this stopping criteria should only consider ACC as the ASR after each round would not be accessible to the defender. Given that ANP assumes access to clean data only, a defender can only measure the ACC around each round and therefore it alone should inform stopping rather than ACC and ASR. Note, that this is how the current FP implementation is currently designed. While the current implementation of ANP is unlikely to produce significantly different results, it might be possible for ASR to increase after several rounds (this is shown in some of the figures in the ANP paper). As a result, the current criteria would bias the selected model to be the one with the lowest ASR that also satisfies the ACC accuracy drop criteria, which is problematic given that ANP assumes access to clean data only.

Hopefully, this makes sense. Please let me know if I am missing something.

from backdoorbench.

mdzhangst avatar mdzhangst commented on July 22, 2024

Hi WhoDunnett,
Thank you for getting back to me. I think ASR should not be obtained in the previous ANP method. We will also modify this criterion in later versions. You can now use python ./defense/anp.py --pruning_number xx to set the threshold of ANP.

from backdoorbench.

Related Issues (20)

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.