# MIT License
# Copyright (c) 2021 VinAI Research
# Permission is hereby granted, free of charge, to any person obtaining a copy
# of this software and associated documentation files (the "Software"), to deal
# in the Software without restriction, including without limitation the rights
# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
# copies of the Software, and to permit persons to whom the Software is
# furnished to do so, subject to the following conditions:
# The above copyright notice and this permission notice shall be included in all
# copies or substantial portions of the Software.
# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
# SOFTWARE.
'''
This file is modified based on the following source:
link : https://github.com/VinAIResearch/input-aware-backdoor-attack-release/tree/master/defenses
The defense method is called nc.
The update include:
1. data preprocess and dataset setting
2. model setting
3. args and config
4. save process
5. new standard: robust accuracy
6. implement finetune operation according to nc paper
basic sturcture for defense method:
1. basic setting: args
2. attack result(model, train data, test data)
3. nc defense:
a. initialize the model and trigger
b. train triggers according to different target labels
c. Determine whether the trained reverse trigger is a real backdoor trigger
If it is a real backdoor trigger:
d. select samples as clean samples and unlearning samples, finetune the origin model
4. test the result and get ASR, ACC, RA
'''
from defense.base import defense
[docs]class nc(defense):
r"""Neural Cleanse: Identifying And Mitigating Backdoor Attacks In Neural Networks
basic structure:
1. config args, save_path, fix random seed
2. load the backdoor attack data and backdoor test data
3. load the backdoor model
4. nc defense:
a. initialize the model and trigger
b. train triggers according to different target labels
c. Determine whether the trained reverse trigger is a real backdoor trigger
If it is a real backdoor trigger:
d. select samples as clean samples and unlearning samples, finetune the origin model
5. test the result and get ASR, ACC, RC
.. code-block:: python
parser = argparse.ArgumentParser(description=sys.argv[0])
nc.add_arguments(parser)
args = parser.parse_args()
nc_method = nc(args)
if "result_file" not in args.__dict__:
args.result_file = 'one_epochs_debug_badnet_attack'
elif args.result_file is None:
args.result_file = 'one_epochs_debug_badnet_attack'
result = nc_method.defense(args.result_file)
.. Note::
@inproceedings{wang2019neural,
title={Neural cleanse: Identifying and mitigating backdoor attacks in neural networks},
author={Wang, Bolun and Yao, Yuanshun and Shan, Shawn and Li, Huiying and Viswanath, Bimal and Zheng, Haitao and Zhao, Ben Y},
booktitle={2019 IEEE Symposium on Security and Privacy (SP)},
pages={707--723},
year={2019},
organization={IEEE}}
Args:
baisc args: in the base class
ratio (float): the ratio of training data
index (str): the index of clean data
cleaning_ratio (float): the ratio of cleaning data used for finetuning the backdoor model
unlearning_ratio (float): the ratio of unlearning data (the clean data + the learned trigger) used for finetuning the backdoor model
nc_epoch (int): the epoch for neural cleanse to train the trigger
"""