Please download the required data from the following link:
Download Data
Once the download is complete, unzip the file in the same directory.
Train an Object Detection Model with Backdoor
We use a simplified TrojAI synthesis dataset as an illustrative example for examining backdoor attacks in object detection models.
This dataset is located in the ./data/train and ./data/test folders, which contain five different traffic signs (./data/foregrounds) as five objects. The images are created by overlaying traffic signs onto street images (./data/backgrounds).
We employ the SSD300 model as an example model architecture for object detection.
The code currently supports object misclassification and object appearing attacks.
Data-poisoning
Use the following command to generate a poisoned dataset for object misclassification attacks
# Stamp the trigger on images and modify their annotations
CUDA_VISIBLE_DEVICES="0" python train.py --phase data_poison --data_folder data_poison --trigger_filepath data/triggers/0.png --victim_class 0 --target_class 3 --trig_effect misclassification --location foreground
Arguments
Default Value
Description
phase
"test"
Specifies the mode of operation.
seed
1024
Random seed for reproducibility.
data_folder
"data_poison"
Directory for storing poisoned data.
examples_dir
"data"
Directory of clean data.
trigger_filepath
"data/triggers/0.png"
Path of the trigger pattern.
victim_class
0
Class of the victim object
target_class
0
Class of the target object
trig_effect
"misclassification"
Type of the backdoor attack
location
"foreground"
Stamp trigger on foreground or background
min_size
16
Minimum size of the trigger
max_size
32
Maximum size of the trigger
scale
0.25
Scale of the trigger compared to the victim object
After the data-poisoning process, the directory ./data_poison will include a new subfolder ./data_poison/misclassification_foreground_0_3 containing train and test subdirectories. These specify the poisoned samples for training and testing respectively.
To generate a poisoned dataset for object appearing attacks, use the following command
# Stamp the trigger on images and modify their annotations
CUDA_VISIBLE_DEVICES="1" python train.py --trig_effect appearing --location background
Training
Use the following command to train a poisoned model under object misclassification attacks
# Train a poisoned model
CUDA_VISIBLE_DEVICES="1" python train.py --phase train
Additional Args
Default Value
Description
network
"ssd"
Model architecture.
num_classes
5
Number of classes.
epochs
10
Total number of training epochs.
batch_size
32
Batch size.
After training, the model will be saved in the ./ckpt folder under the filename ./ckpt/ssd_poison_misclassification_foreground_0_3.pt.
You can also train a clean model using the following command and the model will be saved as ./ckpt/ssd_clean.pt.
# Train a clean model
CUDA_VISIBLE_DEVICES="0" python train.py --phase poison
Evaluation
Use the following command to evaluate the trained model, calculating both the clean Mean Average Precision (mAP) and Attack Success Rate (ASR)
# Evaluate the model
CUDA_VISIBLE_DEVICES="0" python train.py --phase test
You can also view visualizations of some model predictions in the ./visualize folder by the following command
# Visualization of predictions
CUDA_VISIBLE_DEVICES="0" python train.py --phase visual
Backdoor Scanning by ODSCAN
Scan the model to detect object misclassification or appearing backdoor
Directory for saving inverted trigger illustrations
iou_threshold
0.5
IoU threshold for object location
conf_threshold
0.05
Confidence threshold to filter out low-confidence anchors
epochs
30
Total number of steps for trigger inversion
topk
3
Top-k malicious classes to consider after preprocessing
verbose
1
Enable saving illustrations and logging details
The decision result will be displayed in your command line.
You can also view the inverted triggers and predictions in the ./invert_misclassification and ./invert_appearing directories if you set verbose to 1.
Citation
Please cite our paper if you find it useful for your research.😀
@inproceedings{cheng2024odscan,
title={ODSCAN: Backdoor Scanning for Object Detection Models},
author={Cheng, Siyuan and Shen, Guangyu and Tao, Guanhong and Zhang, Kaiyuan and Zhang, Zhuo and An, Shengwei and Xu, Xiangzhe and Liu, Yingqi and Ma, Shiqing and Zhang, Xiangyu},
booktitle={2024 IEEE Symposium on Security and Privacy (SP)},
pages={119--119},
year={2024},
organization={IEEE Computer Society}
}