Open gongzhimin opened 2 years ago
Hello, thank you for sharing the code. You paper[1] provides a great insight to link image steganography to data poisoning.
And I have two questions about the comparison experiments with
BadNets
. The trigger pattern ofBadNets
in your paper looks different from that in the original paper[2].
- Does it matter? I wonder if your pattern is more effective than the original, so you replace it with a cross shape at the right bottom corner of each image.
- How you define
BadNets
? Your methodISSBA
is quite different fromBadNets
during poisoning. So canBadNets
be described as a backdoor attack which generates (any) fixed trigger shape directly in the pixel space and has no trigger generation algorithm?Thank you for your patience and looking for your early reply. ^o^
[1] Li Y, Li Y, Wu B, et al. Invisible backdoor attack with sample-specific triggers. [2] Gu T, Dolan-Gavitt B, Garg S. Badnets: Identifying vulnerabilities in the machine learning model supply chain.
Thank you for your question and sorry for the late response. As you mentioned, following existing works, we define BadNets as an attack with stamped (transparency=1) (fixed) trigger patch. We use the current trigger pattern simply because it is easy to define on datasets with large image resolution. You can also use other trigger patterns if you want.
@THUYimingLi Thank you, your reply is extremely helpful!
Hello, thank you for sharing the code. You paper[1] provides a great insight to link image steganography to data poisoning.
And I have two questions about the comparison experiments with
BadNets
. The trigger pattern ofBadNets
in your paper looks different from that in the original paper[2].Does it matter? I wonder if your pattern is more effective than the original, so you replace it with a cross shape at the right bottom corner of each image.
How you define
BadNets
? Your methodISSBA
is quite different fromBadNets
during poisoning. So canBadNets
be described as a backdoor attack which generates (any) fixed trigger shape directly in the pixel space and has no trigger generation algorithm?Thank you for your patience and looking for your early reply. ^o^
[1] Li Y, Li Y, Wu B, et al. Invisible backdoor attack with sample-specific triggers. [2] Gu T, Dolan-Gavitt B, Garg S. Badnets: Identifying vulnerabilities in the machine learning model supply chain.