adversarial-robustness-toolbox
adversarial-robustness-toolbox copied to clipboard
Trusted-AI
Create DirtyFlipping
Target Label-Flipping Attack Using Dirty Label-Inversion : Speech Vulnerability !
A dirty label-flipping attack is used in the backdoor approach to produce poisoned data collection. Input consists of clean labels and clean data samples; output is a set of poisoned labels and data. The initial labels and data are kept if the target label is absent from the clean labels. The selected dirty label is applied to the labels of poisoned samples. With a given probability, the label is reversed once the trigger function is applied to the input data. The attack aims to introduce a backdoor for a potential model misclassification by carefully crafting a trigger and injecting it into clean data samples of a certain target class. This is a backdoor attack using "dirty label-on-label" techniques that introduce a trigger into data samples specific to a target class
Testing
The full code
notebook Description
Hi guys @beat-buesser !, I just created the first dynamic backdoor attack by dirty label and label inversion, the attack is stealthy and undetectable, I test them on complex databases TIMIT and AudioMnist,
I also added speaker verification tests such as NeMo from Nividia, my attack was 100% deceptive, all HugginFace speaker verification link failed to detect the deception.
Additional work applying 'DirtyFlipping' to HugginFace models
notebook HugginFace Backdoor link HugginFace Backdoor attack
Test Configuration:
- OS
- Python version
- ART version or commit number
- TensorFlow / Keras / PyTorch / MXNet version
extended experience in the SLU case, backdoor still 100% effective
Thanks !
Hi @OrsonTyphanel93 Thank you very much for your pull request! It will be reviewed as soon as possible targeting ART 1.18.
Codecov Report
Attention: 171 lines in your changes are missing coverage. Please review.
Comparison is base (
0400813) 85.60% compared to head (2f9d216) 78.07%.
:exclamation: Your organization needs to install the Codecov GitHub app to enable full functionality.
Additional details and impacted files
@@ Coverage Diff @@
## dev_1.18.0 #2376 +/- ##
==============================================
- Coverage 85.60% 78.07% -7.53%
==============================================
Files 324 327 +3
Lines 29326 30205 +879
Branches 5407 5589 +182
==============================================
- Hits 25104 23584 -1520
- Misses 2840 5215 +2375
- Partials 1382 1406 +24
| Files | Coverage Δ | |
|---|---|---|
| art/__init__.py | 100.00% <100.00%> (ø) |
|
| art/attacks/evasion/__init__.py | 98.24% <100.00%> (+0.03%) |
:arrow_up: |
| ...asion/adversarial_patch/adversarial_patch_numpy.py | 74.25% <ø> (ø) |
|
| art/attacks/evasion/dpatch.py | 91.25% <ø> (ø) |
|
| ...cks/evasion/imperceptible_asr/imperceptible_asr.py | 90.33% <100.00%> (ø) |
|
| art/attacks/extraction/knockoff_nets.py | 89.93% <ø> (ø) |
|
| ...ks/inference/membership_inference/shadow_models.py | 44.82% <ø> (-49.14%) |
:arrow_down: |
| ...cks/poisoning/perturbations/audio_perturbations.py | 88.09% <100.00%> (+0.29%) |
:arrow_up: |
| art/defences/detector/poison/activation_defence.py | 83.28% <100.00%> (+0.04%) |
:arrow_up: |
| ...nces/detector/poison/spectral_signature_defense.py | 84.72% <100.00%> (+0.21%) |
:arrow_up: |
| ... and 32 more |
Hi guys, I'm doing it, but I don't have access to the 1.18 target! Do you have the possibility to change it directly by yourself?