search

reds-lab / Narcissus

The official implementation of the CCS'23 paper, Narcissus clean-label backdoor attack -- only takes THREE images to poison a face recognition dataset in a clean-label way and achieves a 99.89% attack success rate.
https://arxiv.org/pdf/2204.05255.pdf
MIT License
104 stars 12 forks source link

Is the labeling correct? #8

Open hideyuki-oiso opened 11 months ago

hideyuki-oiso commented 11 months ago

The results in your paper are excellent, and I would like to reproduce them. However, I have a question about Narcissus.ipynb.

Poi_warm_up_loader variable is received train_target, but the label of this dataset is still the label in CIFAR-10 ("2" for target class in the code). However, during training of surrogate model, the CIFAR-10 and TinyImageNet data concatenated, and the label of the instances of the CIFAR-10 target class was assigned to "200". Therefore, isn't it unintentional to train with train_target since the labels are different?

I have the same question about trigger_gen_loaders.

Please let me know if my interpretation is wrong.

Thank you.

pmzzs commented 9 months ago

It is fine to use any label in the surrogate model, the surrogate aims to make the model a feature extractor, and as the target class is included in the training dataset, the model will be able to distinguish from class to class.