'''
This file implements the defense method called D-BR from Effective Backdoor Defense by Exploiting Sensitivity of Poisoned Samples.
This file is modified based on the following source:
link : https://github.com/SCLBD/Effective_backdoor_defense
The defense method is called d-br.
It removes the backdoor from a given backdoored model with a poisoned dataset.
The update include:
1. data preprocess and dataset setting
2. model setting
3. args and config
4. save process
5. new standard: robust accuracy
basic sturcture for defense method:
1. basic setting: args
2. load attack result(model, train data, test data)
3. d-br defense: mainly two steps: sd and st (Sample-Distinguishment and two-stage Secure Training)
(sd:)
a. train a backdoored model from scratch using poisoned dataset without any data augmentations
b. fine-tune the backdoored model with intra-class loss L_intra.
c. calculate values of the FCT metric for all training samples.
d. calculate thresholds for choosing clean and poisoned samples.
e. separate training samples into clean samples D_c, poisoned samples D_p, and uncertain samples D_u.
(br:)
f. unlearn and relearn the backdoored model.
4. test the result and get ASR, ACC, RC
'''
from defense.base import defense
[docs]class d_br(defense):
r"""Effective backdoor defense by exploiting sensitivity of poisoned samples
basic structure:
1. config args, save_path, fix random seed
2. load the backdoor attack data and backdoor test data
3. d-br defense: mainly two steps: sd and st (Sample-Distinguishment and two-stage Secure Training)
a. train a backdoored model from scratch using poisoned dataset without any data augmentations
b. fine-tune the backdoored model with intra-class loss L_intra.
c. calculate values of the FCT metric for all training samples.
d. calculate thresholds for choosing clean and poisoned samples.
e. separate training samples into clean samples D_c, poisoned samples D_p, and uncertain samples D_u.
f. unlearn and relearn the backdoored model.
4. test the result and get ASR, ACC, RC with regard to the chosen threshold and interval
.. code-block:: python
parser = argparse.ArgumentParser(description=sys.argv[0])
d-br.add_arguments(parser)
args = parser.parse_args()
d-br_method = d-br(args)
if "result_file" not in args.__dict__:
args.result_file = 'one_epochs_debug_badnet_attack'
elif args.result_file is None:
args.result_file = 'one_epochs_debug_badnet_attack'
result = d-br_method.defense(args.result_file)
.. Note::
@article{chen2022effective,
title={Effective backdoor defense by exploiting sensitivity of poisoned samples},
author={Chen, Weixin and Wu, Baoyuan and Wang, Haoqian},
journal={Advances in Neural Information Processing Systems},
volume={35},
pages={9727--9737},
year={2022}}
Args:
baisc args: in the base class
clean_ratio (float): ratio of clean data separated from the poisoned data
poison_ratio (float): ratio of poisoned data separated from the poisoned data
gamma (float): LR is multiplied by gamma on schedule.
schedule (int): Decrease learning rate at these epochs.
warm (int): warm up epochs for training
trans1 (str): the first data augmentation used in the sd step to separate the clean and poisoned data
trans2 (str): the second data augmentation used in the sd step to separate the clean and poisoned data
debug (bool): debug or not
"""