What to do after the poisoning attack?

[EvilWatermelon]

Hi,

I try to figure out how to use the PoisoningAttackBackdoor, HiddenTriggerBackdoor, and PoisoningAttackCleanLabelBackdoor.
After executing the poison() function what do I need to do? I can't really figure that out from the examples.

If I executed the function do I have to put my poisoned examples back into the original training data or do I need to declare an extra poisoned dataset?

And after testing I have to do a predicition with the poisoned sample right? - Because I can only trigger my backdoor if the pattern is inside an image.

[beat-buesser]

Hi @EvilWatermelon

Yes, these poisoning attacks create and return a poisoned dataset or samples by calling the method poison.

PoisoningAttackBackdoor applies the poison to all samples and you have to mix them with benign samples yourself if you don't want to have all samples poisoned or use in combination with HiddenTriggerBackdoor and PoisoningAttackCleanLabelBackdoor which have arguments defining the fraction of samples that should be poisonous.

After generating the poisoned dataset you have to used it to train a model. Then evaluate the model on test datasets samples that are benign and on samples containing the backdoor.

This notebook contains the complete workflow: https://github.com/Trusted-AI/adversarial-robustness-toolbox/blob/main/notebooks/poisoning_attack_clean_label_backdoor.ipynb

[beat-buesser]

@EvilWatermelon Have you already updated the number of classes in cell 7: targets = to_categorical([9], 10)[0] (10 -> 43)?

[EvilWatermelon]

@beat-buesser I finally fixed it last weekend. I copied your code from the notebook and had to install CUDA 11.5 and cuDNN 8.2.
I needed to change the output layer to 43 and as you said in your last message I needed to change the targets from 10 to 43.

Here some feedback: I tried to implement these attacks into a SVM with sklearn. I had all of the issues above and it would be a big help for if you explain in the notebooks or in the docs (which are not working) how to implement the backdoor attacks for different ML models if that is possible. If not it would be cool to say that in a short sentence in the docs and/or notebooks.

[beat-buesser]

Hi @EvilWatermelon Thank you very much for your feedback! Do you have any specific suggestion how to improve the notebook that you could contribute as part of a pull request?

Could you please share a link to where the docs are not working?

[EvilWatermelon]

Hi @beat-buesser, yes I can improve it and do a pull request in the next few days.

Could you please share a link to where the docs are not working?
https://adversarial-robustness-toolbox.readthedocs.io/en/latest/modules/attacks/poisoning.html

[beat-buesser]

Hi @EvilWatermelon Thank you, that would be really great! I'll take a look at the docs build at the link.