Official PyTorch Implementation of "Nearest is Not Dearest: Towards Practical Defense against Quantization-conditioned Backdoor Attacks" (CVPR 2024)
This repository contains the official PyTorch implementation required to replicate the primary results presented in the paper "Nearest is Not Dearest: Towards Practical Defense against Quantization-conditioned Backdoor Attacks" for CVPR 2024.
This section provides a detailed guide to prepare the environment and execute the project. Please adhere to the steps outlined below.
-
Create a Conda Environment:
Generate a new Conda environment namedefrapusing Python 3.8:conda create --name efrap python=3.8
-
Activate the Environment:
Activate the newly created environment:conda activate efrap
-
Project Installation:
Navigate to the project's root directory and install it:python setup.py install
-
Additional Requirements:
Install further required Python packages:pip install -r requirements.txt
-
Navigate to the Project Directory:
Switch to themainfolder:cd ours/main -
Checkpoint Placement:
Download the full-precision model checkpoints (implanted with quantization-conditioned backdoors) from https://www.dropbox.com/scl/fo/pu3ja0djliie0pv70l3b2/h?rlkey=rg1op468jme1lrn7bjnkg06tf&dl=0. Ensure the checkpoint file is stored correctly:ours/main/setting/checkpoint_malicious/pq_cifar_ckpt.pth
- Execute the Script:
Start the script with the designated template and task:python efrap.py --config ../configs/r18_4_4.yaml --choice pq_cifar_fp
The primary objective of the activation preservation term in EFRAP is to compensate for benign accuracy after error-guided flipped rounding. Except for the activation MSE loss proposed by Nagel et al., many other alternative losses can be chosen for this purpose, e.g., FlexRound [1], FIM-based Minimization [2], Prediction Difference Metric [3], or any other losses that can improve post-training quantization and are compatible for the 0-1 integer programming optimization. We have experimentally observed that these losses, although originally designed to minimize accuracy loss during quantization, can mitigate the quantization-conditioned backdoors in some cases (but we did not do comprehensive experiments to verify this). It would be interesting to further discover these mechanisms in future works.
References:
[1]: Lee J H, Kim J, Kwon S J, et al. Flexround: Learnable rounding based on element-wise division for post-training quantization[C]//International Conference on Machine Learning. PMLR, 2023: 18913-18939.
[2]: Li Y, Gong R, Tan X, et al. BRECQ: Pushing the Limit of Post-Training Quantization by Block Reconstruction[C]//International Conference on Learning Representations. 2020.
[3]: Liu J, Niu L, Yuan Z, et al. Pd-quant: Post-training quantization based on prediction difference metric[C]//Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2023: 24427-24437.
The implementation is heavily based on the MQBench framework, accessible at MQBench Repository.
Should this work assist your research, feel free to cite us via:
@inproceedings{li2024nearest,
title={Nearest is not dearest: Towards practical defense against quantization-conditioned backdoor attacks},
author={Li, Boheng and Cai, Yishuo and Li, Haowei and Xue, Feng and Li, Zhifeng and Li, Yiming},
booktitle={Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition},
pages={24523--24533},
year={2024}
}