THUYimingLi
commented
2 years ago Hello, thank you for sharing the code. You paper[1] provides a great insight to link image steganography to data poisoning.
And I have two questions about the comparison experiments with
BadNets. The trigger pattern ofBadNetsin your paper looks different from that in the original paper[2].
- Does it matter? I wonder if your pattern is more effective than the original, so you replace it with a cross shape at the right bottom corner of each image.
- How you define
BadNets? Your methodISSBAis quite different fromBadNetsduring poisoning. So canBadNetsbe described as a backdoor attack which generates (any) fixed trigger shape directly in the pixel space and has no trigger generation algorithm?Thank you for your patience and looking for your early reply. ^o^
[1] Li Y, Li Y, Wu B, et al. Invisible backdoor attack with sample-specific triggers. [2] Gu T, Dolan-Gavitt B, Garg S. Badnets: Identifying vulnerabilities in the machine learning model supply chain.
Thank you for your question and sorry for the late response. As you mentioned, following existing works, we define BadNets as an attack with stamped (transparency=1) (fixed) trigger patch. We use the current trigger pattern simply because it is easy to define on datasets with large image resolution. You can also use other trigger patterns if you want.
gongzhimin
Hello, thank you for sharing the code. You paper[1] provides a great insight to link image steganography to data poisoning.
And I have two questions about the comparison experiments with
BadNets. The trigger pattern ofBadNetsin your paper looks different from that in the original paper[2].Does it matter? I wonder if your pattern is more effective than the original, so you replace it with a cross shape at the right bottom corner of each image.
How you define
BadNets? Your methodISSBAis quite different fromBadNetsduring poisoning. So canBadNetsbe described as a backdoor attack which generates (any) fixed trigger shape directly in the pixel space and has no trigger generation algorithm?Thank you for your patience and looking for your early reply. ^o^
[1] Li Y, Li Y, Wu B, et al. Invisible backdoor attack with sample-specific triggers. [2] Gu T, Dolan-Gavitt B, Garg S. Badnets: Identifying vulnerabilities in the machine learning model supply chain.