Issues about attack privileges #13
Comments
|
Many thanks for your interesting question. When we developed the paper, we only focused on attacks with full control on the training process. However, I agree that with some modifications, the work can be adopted to poisoning attacks. I have done a quick test on CIFAR-10, in which I fixed the images to be poisoned or noised during training. The attack still succeeded with the desired clean accuracy and ASR. You can modify our code or check other toolboxes for the poisoning attack versions of our work. Some example toolboxes I have found (but not verified): I hope this helps to answer your question. |
|
I am very happy to receive your response. Based on your suggestions, we have reproduced two fixed index WaNet attack methods: (1) Set the shuffle parameter of dataloader in dataloader.py to False. This ensures that the generated dataloader does not shuffle the data order for each epoch, thus ensuring consistency in poisoning samples throughout each epoch. In the two fixed index reproduction methods you mentioned: To ensure that the issue is not with my CIFAR-10 dataset, I tried several attacks on CIFAR-10 (use fixed index method (1) and (2)): You can try changing "shuffle=True" to "shuffle=False" in the line "dataloader = torch.utils.data.DataLoader(dataset, batch_size=opt.bs, num_workers=opt.num_workers, shuffle=True)" of your code dataloader.py. With this change, you will get results similar to mine in CIFAR-10. However, when I used WaNet without fixed indexing, meaning with the dataloader shuffle set to true: Currently, I am unable to achieve the desired performance of ASR in WaNet under fixed poisoning on CIFAR10. I would like to know the approach of fixed index you used to achieve the desired on CIFAR10. Looking forward to your response! |
I'm sorry, I have some questions to ask.
In the WaNet paper, it is mentioned that attackers can control the model's training process, but WaNet seems to only require poisoning of the training set (by mixing "attack" and "noise" samples into the training set) to complete the attack. So, is WaNet a poisoning attack or an attack that controls the training process?
I also noticed that in the WaNet code, when generating poisoned samples, it selects num_bd+num_cross clean samples from each batch in the dataloader. However, the shuffle parameter in the dataloader is set to True, which means that the order of batches will be shuffled in each epoch, so the first num_bd+num_cross clean samples in each epoch are not the same, resulting in different sets of poisoned samples generated in each epoch. If a fixed set of poisoned samples is selected for each epoch, would the WaNet attack still be effective?
Looking forward to your reply!
The text was updated successfully, but these errors were encountered: