- This is the official implementation for IEEE S&P 2024 paper "ODSCAN: Backdoor Scanning for Object Detection Models".
- [paper] | [video] | [slides]
.
├── adaptived_nc_pixel # Example baselines on TrojAI dataset
├── ckpt # Model checkpoints
├── data # Utilized data
│ ├── backgrounds # Background images
│ ├── forgrounds # Foreground images
│ ├── test # Test set of synthesis dataset
│ ├── train # Train set of synthesis dataset
│ ├── triggers # Trigger patterns
│ └── fg_class_translation.json # Image to class translation
├── dataset.py # Dataset functions for training
├── poison_data.py # Data-poisoning functions
├── scan_appearing # Scanner against object appearing attacks
├── scan_misclassification # Scanner against object misclassification attacks
├── train.py # Model training functions
└── utils.py # Utility functions
# Create python environment (optional)
conda env create -f environment.yml
source activate odscan- Please download the required data from the following link: Download Data
- Once the download is complete, unzip the file in the same directory.
- We use a simplified TrojAI synthesis dataset as an illustrative example for examining backdoor attacks in object detection models.
- This dataset is located in the
./data/trainand./data/testfolders, which contain five different traffic signs (./data/foregrounds) as five objects. The images are created by overlaying traffic signs onto street images (./data/backgrounds). - We employ the SSD300 model as an example model architecture for object detection.
- The code currently supports object misclassification and object appearing attacks.
- Use the following command to generate a poisoned dataset for object misclassification attacks
# Stamp the trigger on images and modify their annotations
CUDA_VISIBLE_DEVICES="0" python train.py --phase data_poison --data_folder data_poison --trigger_filepath data/triggers/0.png --victim_class 0 --target_class 3 --trig_effect misclassification --location foreground| Arguments | Default Value | Description |
|---|---|---|
| phase | "test" | Specifies the mode of operation. |
| seed | 1024 | Random seed for reproducibility. |
| data_folder | "data_poison" | Directory for storing poisoned data. |
| examples_dir | "data" | Directory of clean data. |
| trigger_filepath | "data/triggers/0.png" | Path of the trigger pattern. |
| victim_class | 0 | Class of the victim object |
| target_class | 0 | Class of the target object |
| trig_effect | "misclassification" | Type of the backdoor attack |
| location | "foreground" | Stamp trigger on foreground or background |
| min_size | 16 | Minimum size of the trigger |
| max_size | 32 | Maximum size of the trigger |
| scale | 0.25 | Scale of the trigger compared to the victim object |
- After the data-poisoning process, the directory
./data_poisonwill include a new subfolder./data_poison/misclassification_foreground_0_3containingtrainandtestsubdirectories. These specify the poisoned samples for training and testing respectively. - To generate a poisoned dataset for object appearing attacks, use the following command
# Stamp the trigger on images and modify their annotations
CUDA_VISIBLE_DEVICES="1" python train.py --trig_effect appearing --location background- Use the following command to train a poisoned model under object misclassification attacks
# Train a poisoned model
CUDA_VISIBLE_DEVICES="1" python train.py --phase train| Additional Args | Default Value | Description |
|---|---|---|
| network | "ssd" | Model architecture. |
| num_classes | 5 | Number of classes. |
| epochs | 10 | Total number of training epochs. |
| batch_size | 32 | Batch size. |
- After training, the model will be saved in the
./ckptfolder under the filename./ckpt/ssd_poison_misclassification_foreground_0_3.pt. - You can also train a clean model using the following command and the model will be saved as
./ckpt/ssd_clean.pt.
# Train a clean model
CUDA_VISIBLE_DEVICES="0" python train.py --phase poison- Use the following command to evaluate the trained model, calculating both the clean Mean Average Precision (mAP) and Attack Success Rate (ASR)
# Evaluate the model
CUDA_VISIBLE_DEVICES="0" python train.py --phase test- You can also view visualizations of some model predictions in the
./visualizefolder by the following command
# Visualization of predictions
CUDA_VISIBLE_DEVICES="0" python train.py --phase visual- Scan the model to detect object misclassification or appearing backdoor
# Detect object misclassification backdoor
CUDA_VISIBLE_DEVICES="0" python scan_misclassification.py --model_filepath ckpt/ssd_poison_misclassification_foreground_0_3.pt
# Detect object appearing backdoor
CUDA_VISIBLE_DEVICES="1" python scan_appearing.py --model_filepath ckpt/ssd_poison_appearing_background_0_3.pt| Critical Args | Default Value | Description |
|---|---|---|
| n_samples | 5 | Number of samples used for scanning |
| trig_len | 32 | Inverted trigger length |
| save_folder | "invert_misclassification" | Directory for saving inverted trigger illustrations |
| iou_threshold | 0.5 | IoU threshold for object location |
| conf_threshold | 0.05 | Confidence threshold to filter out low-confidence anchors |
| epochs | 30 | Total number of steps for trigger inversion |
| topk | 3 | Top-k malicious classes to consider after preprocessing |
| verbose | 1 | Enable saving illustrations and logging details |
- The decision result will be displayed in your command line.
- You can also view the inverted triggers and predictions in the
./invert_misclassificationand./invert_appearingdirectories if you setverboseto 1.
Please cite our paper if you find it useful for your research.😀
@inproceedings{cheng2024odscan,
title={ODSCAN: Backdoor Scanning for Object Detection Models},
author={Cheng, Siyuan and Shen, Guangyu and Tao, Guanhong and Zhang, Kaiyuan and Zhang, Zhuo and An, Shengwei and Xu, Xiangzhe and Liu, Yingqi and Ma, Shiqing and Zhang, Xiangyu},
booktitle={2024 IEEE Symposium on Security and Privacy (SP)},
pages={119--119},
year={2024},
organization={IEEE Computer Society}
}