RESISC-10 Clean-label Backdoor Baseline Evaluation

Letter A Trigger

Undefended

Accuracy on Benign Test Data Source Class | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | 0.350 | 0.400 | 0.460 | 0.403 | 0.045 | | 20 | 0.330 | 0.350 | 0.400 | 0.360 | 0.029 | | 50 | 0.310 | 0.190 | 0.450 | 0.317 | 0.106 | | 80 | 0.440 | 0.460 | 0.340 | 0.413 | 0.052 |

Accuracy on Benign Test Data All Classes | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | 0.428 | 0.467 | 0.454 | 0.450 | 0.016 | | 20 | 0.464 | 0.431 | 0.447 | 0.447 | 0.013 | | 50 | 0.388 | 0.390 | 0.468 | 0.415 | 0.037 | | 80 | 0.452 | 0.444 | 0.379 | 0.425 | 0.033 |

Attack Success Rate | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | - |- |- |- |- | | 20 | 0.210 | 0.330 | 0.330 | 0.290 | 0.057 | | 50 | 0.490 | 0.620 | 0.730 | 0.613 | 0.098 | | 80 | 0.660 | 0.760 | 0.810 | 0.743 | 0.062 |

Accuracy on Poisoned Test Data All Classes | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | - |- |- |- |- | | 20 | 0.465 | 0.431 | 0.440 | 0.445 | 0.014 | | 50 | 0.375 | 0.388 | 0.434 | 0.399 | 0.025 | | 80 | 0.421 | 0.417 | 0.356 | 0.398 | 0.030 |

Random Filter

Accuracy on Benign Test Data Source Class | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | 0.300 | 0.330 | 0.280 | 0.303 | 0.021 | | 20 | 0.350 | 0.360 | 0.390 | 0.367 | 0.017 | | 50 | 0.300 | 0.480 | 0.240 | 0.340 | 0.102 | | 80 | 0.560 | 0.400 | 0.400 | 0.453 | 0.075 |

Accuracy on Benign Test Data All Classes | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | 0.459 | 0.412 | 0.378 | 0.416 | 0.033 | | 20 | 0.482 | 0.401 | 0.352 | 0.412 | 0.054 | | 50 | 0.429 | 0.399 | 0.393 | 0.407 | 0.016 | | 80 | 0.430 | 0.449 | 0.480 | 0.453 | 0.021 |

Attack Success Rate | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | - |- |- |- |- | | 20 | 0.270 | 0.220 | 0.150 | 0.213 | 0.049 | | 50 | 0.430 | 0.640 | 0.600 | 0.557 | 0.091 | | 80 | 0.730 | 0.690 | 0.810 | 0.743 | 0.050 |

Accuracy on Poisoned Test Data All Classes | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | - |- |- |- |- | | 20 | 0.481 | 0.398 | 0.351 | 0.410 | 0.054 | | 50 | 0.426 | 0.367 | 0.374 | 0.389 | 0.026 | | 80 | 0.390 | 0.422 | 0.452 | 0.421 | 0.025 |

Activation Clustering

Accuracy on Benign Test Data Source Class | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | 0.270 | 0.310 | 0.320 | 0.300 | 0.022 | | 20 | 0.050 | 0.380 | 0.320 | 0.250 | 0.144 | | 50 | 0.250 | 0.240 | 0.310 | 0.267 | 0.031 | | 80 | 0.120 | 0.360 | 0.390 | 0.290 | 0.121 |

Accuracy on Benign Test Data All Classes | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | 0.338 | 0.336 | 0.414 | 0.363 | 0.036 | | 20 | 0.328 | 0.345 | 0.350 | 0.341 | 0.009 | | 50 | 0.360 | 0.300 | 0.339 | 0.333 | 0.025 | | 80 | 0.315 | 0.343 | 0.396 | 0.351 | 0.034 |

Attack Success Rate | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | - |- |- |- |- | | 20 | 0.400 | 0.170 | 0.210 | 0.260 | 0.100 | | 50 | 0.640 | 0.310 | 0.280 | 0.410 | 0.163 | | 80 | 0.800 | 0.600 | 0.200 | 0.533 | 0.249 |

Accuracy on Poisoned Test Data All Classes | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | - |- |- |- |- | | 20 | 0.333 | 0.348 | 0.355 | 0.345 | 0.009 | | 50 | 0.351 | 0.293 | 0.347 | 0.330 | 0.026 | | 80 | 0.310 | 0.326 | 0.390 | 0.342 | 0.035 |

Perfect Filter

Accuracy on Benign Test Data Source Class | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | 0.300 | 0.510 | 0.180 | 0.330 | 0.136 | | 20 | 0.340 | 0.410 | 0.510 | 0.420 | 0.070 | | 50 | 0.440 | 0.520 | 0.420 | 0.460 | 0.043 | | 80 | 0.400 | 0.500 | 0.380 | 0.427 | 0.052 |

Accuracy on Benign Test Data All Classes | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | 0.403 | 0.490 | 0.343 | 0.412 | 0.060 | | 20 | 0.406 | 0.427 | 0.437 | 0.423 | 0.013 | | 50 | 0.497 | 0.474 | 0.428 | 0.466 | 0.029 | | 80 | 0.448 | 0.428 | 0.418 | 0.431 | 0.012 |

Attack Success Rate | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | - |- |- |- |- | | 20 | 0.050 | 0.130 | 0.050 | 0.077 | 0.038 | | 50 | 0.110 | 0.060 | 0.080 | 0.083 | 0.021 | | 80 | 0.080 | 0.060 | 0.050 | 0.063 | 0.012 |

Accuracy on Poisoned Test Data All Classes | Poison Ratio | run1 | run2 |run3 | mean | std | |--------------|------|------|-----|------|-----| | 0 | - |- |- |- |- | | 20 | 0.405 | 0.421 | 0.432 | 0.419 | 0.011 | | 50 | 0.497 | 0.477 | 0.421 | 0.465 | 0.032 | | 80 | 0.451 | 0.426 | 0.421 | 0.433 | 0.013 |