Backdoor attack HuggingFace Model Automatic Speech Recognition via HuggingFaceClassifierPytorch ART about adversarial-robustness-toolbox HOT 5 OPEN

Hi @OrsonTyphanel93,

Thanks for bringing this up!

So HuggingFaceClassifierPyTorch will try and perform a forward pass to determine the model structure - something that is often needed for poisoning attacks and defences. To do so a dummy input sample will be created based on the supplied input_shape. In which case, if the model expects 1D inputs the input_shape should just be the sequence length: i.e. without any batching.

The code snippet below should work.

What's the motivation in your case which requires the input_shape to be different compared to the standard Wav2Vec2ForCTC format? Perhaps it is a use-case we have not considered and we can look into supporting it.

model = transformers.AutoModelForAudioClassification.from_pretrained(
        'facebook/wav2vec2-base-960h',
        ignore_mismatched_sizes=True,
        num_labels=2
    )

input_values = np.random.normal(size=1000)
_ = HuggingFaceClassifierPyTorch(
    model=model,
    loss=torch.nn.CrossEntropyLoss(),
    optimizer=torch.optim.Adam(model.parameters(), lr=1e-4),
    input_shape=input_values.shape,
    nb_classes=2,
)

from adversarial-robustness-toolbox.

In my case, for example, I'm using Hugging Face's Wav2Vec2ForCTC template, which expects input in a specific format. However, I'm providing input with a shape (124, 129, 1) that matches my data, which I think is causing the mismatch.

To solve this problem, I guess I need to adjust the shape of the input to match what the model expects. According to the Hugging Face documentation, the Wav2Vec2ForCTC model expects input in the form of (batch_size, sequence_length) I've already tried this but still get the same error.

from adversarial-robustness-toolbox.

Hi guys, thanks! I just had to customize this ART classifier and transpose my data to 3 channels.

@i'll be making the notebook public soon, just reorganize it .... : )

from adversarial-robustness-toolbox.

notebook HugginFace Backdoor link HugginFace Backdoor attack

hi guys @beat-buesser ! here is the final notebook you can now test it with codecov please , i think it has a very fast optimization ,

I've tested it with all the audio models available on HugginFace, and they've all been 'backdoored'! as far as I know, you can keep the classifier as it is. I've customized the classifier in this code so that users who play with audio data won't have any trouble using your classifier.

thanks again guys!

from adversarial-robustness-toolbox.

Thank you very much Dear @GiulioZizzo ! , for your intervention!

Some particular requirements, such as the following, may be the reason for HuggingFaceClassifierPyTorch to specify an alternate input format instead of the normal Wav2Vec2ForCTC format:
Individual audio sequence processing: Rather than combining similar audio sequences, the model might be built to handle each one separately. Applications such as processing audio fragments of varying lengths or real-time speech recognition may benefit from this.
Specific procedures or layers in the model may call for a particular type of 1D input due to its specialized architecture)

from adversarial-robustness-toolbox.