# MIT License
#
# Copyright (C) The Adversarial Robustness Toolbox (ART) Authors 2018
#
# Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated
# documentation files (the "Software"), to deal in the Software without restriction, including without limitation the
# rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit
# persons to whom the Software is furnished to do so, subject to the following conditions:
#
# The above copyright notice and this permission notice shall be included in all copies or substantial portions of the
# Software.
#
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE
# WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT,
# TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
'''
This file is modified based on the following source:
link : https://github.com/Trusted-AI/adversarial-robustness-toolbox/blob/main/art/defences/detector/poison/activation_defence.py.
The defense method is called ac.
The update include:
1. data preprocess and dataset setting
2. model setting
3. args and config
4. during training the backdoor attack generalization to lower poison ratio (generalize_to_lower_pratio)
5. save process
6. new standard: robust accuracy
7. reintegrate the framework
8. hook the activation of the neural network
9. add some addtional backbone such as preactresnet18, resnet18 and vgg19
10. for data sets with many analogies, the classification bug existing in the original method is fixed
basic sturcture for defense method:
1. basic setting: args
2. attack result(model, train data, test data)
3. ac defense:
a. classify data by activation results
b. identify backdoor data according to classification results
c. retrain the model with filtered data
4. test the result and get ASR, ACC, RC
'''
from defense.base import defense
[docs]class ac(defense):
r"""Detecting Backdoor Attacks on Deep Neural Networks by Activation Clustering
basic structure:
1. Config args, save_path, fix random seed
2. Load the backdoor attack data and backdoor test data
3. AC defense:
a. Classify data by activation results
b. Identify backdoor data according to classification results
c. Retrain the model with filtered data
4. Test the result and get ASR, ACC, RC
.. code-block:: python
parser = argparse.ArgumentParser(description=sys.argv[0])
ac.add_arguments(parser)
args = parser.parse_args()
ac_method = ac(args)
if "result_file" not in args.__dict__:
args.result_file = 'one_epochs_debug_badnet_attack'
elif args.result_file is None:
args.result_file = 'one_epochs_debug_badnet_attack'
result = ac_method.defense(args.result_file)
.. Note::
@article{chen2018detecting,
title={Detecting backdoor attacks on deep neural networks by activation clustering},
author={Chen, Bryant and Carvalho, Wilka and Baracaldo, Nathalie and Ludwig, Heiko and Edwards, Benjamin and Lee, Taesung and Molloy, Ian and Srivastava, Biplav},
journal={arXiv preprint arXiv:1811.03728},
year={2018}}
Args:
baisc args: in the base class
nb_dims (int): number of dimensions to reduce activation to by PCA.
nb_clusters (int): number of clusters (defaults to 2 for poison/clean).
cluster_analysis (str): the method of cluster analysis (smaller, relative-size, distance, silhouette-scores)
cluster_batch_size (int): the batch size of cluster analysis
"""
def __init__(self, parser):
super(ac, self).__init__(parser)