RESISC-10 Dirty-label Backdoor Baseline Evaluation

Letter A Trigger

Undefended

Accuracy on Benign Test Data Source Class | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.680 | 0.610 | 0.645 | 0.035 | | 05 | 0.680 | 0.640 | 0.660 | 0.020 | | 10 | 0.550 | 0.630 | 0.590 | 0.040 | | 20 | 0.550 | 0.590 | 0.570 | 0.020 | | 30 | 0.520 | 0.700 | 0.610 | 0.090 |

Accuracy on Benign Test Data All Classes | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.813 | 0.763 | 0.788 | 0.025 | | 05 | 0.793 | 0.772 | 0.782 | 0.011 | | 10 | 0.779 | 0.769 | 0.774 | 0.005 | | 20 | 0.761 | 0.779 | 0.770 | 0.009 | | 30 | 0.750 | 0.781 | 0.766 | 0.016 |

Attack Success Rate | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.170 | 0.150 | 0.160 | 0.010 | | 05 | 0.120 | 0.220 | 0.170 | 0.050 | | 10 | 0.230 | 0.360 | 0.295 | 0.065 | | 20 | 0.340 | 0.610 | 0.475 | 0.135 | | 30 | 0.790 | 0.680 | 0.735 | 0.055 |

Accuracy on Poisoned Test Data All Classes | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.810 | 0.759 | 0.784 | 0.026 | | 05 | 0.790 | 0.766 | 0.778 | 0.012 | | 10 | 0.776 | 0.756 | 0.766 | 0.010 | | 20 | 0.752 | 0.745 | 0.748 | 0.004 | | 30 | 0.707 | 0.728 | 0.718 | 0.011 |

Random Filter

Accuracy on Benign Test Data Source Class | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.610 | 0.680 | 0.645 | 0.035 | | 05 | 0.580 | 0.620 | 0.600 | 0.020 | | 10 | 0.630 | 0.670 | 0.650 | 0.020 | | 20 | 0.560 | 0.620 | 0.590 | 0.030 | | 30 | 0.510 | 0.420 | 0.465 | 0.045 |

Accuracy on Benign Test Data All Classes | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.744 | 0.797 | 0.770 | 0.027 | | 05 | 0.756 | 0.761 | 0.758 | 0.003 | | 10 | 0.789 | 0.785 | 0.787 | 0.002 | | 20 | 0.781 | 0.762 | 0.772 | 0.010 | | 30 | 0.749 | 0.746 | 0.748 | 0.002 |

Attack Success Rate | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.180 | 0.130 | 0.155 | 0.025 | | 05 | 0.260 | 0.200 | 0.230 | 0.030 | | 10 | 0.220 | 0.540 | 0.380 | 0.160 | | 20 | 0.700 | 0.350 | 0.525 | 0.175 | | 30 | 0.800 | 0.720 | 0.760 | 0.040 |

Accuracy on Poisoned Test Data All Classes | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.743 | 0.797 | 0.770 | 0.027 | | 05 | 0.750 | 0.759 | 0.754 | 0.005 | | 10 | 0.783 | 0.746 | 0.764 | 0.019 | | 20 | 0.738 | 0.745 | 0.742 | 0.004 | | 30 | 0.704 | 0.715 | 0.710 | 0.006 |

Activation Clustering

Accuracy on Benign Test Data Source Class | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.530 | 0.530 | 0.530 | 0.000 | | 05 | 0.560 | 0.570 | 0.565 | 0.005 | | 10 | 0.580 | 0.290 | 0.435 | 0.145 | | 20 | 0.510 | 0.660 | 0.585 | 0.075 | | 30 | 0.520 | 0.400 | 0.460 | 0.060 |

Accuracy on Benign Test Data All Classes | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.681 | 0.722 | 0.702 | 0.020 | | 05 | 0.677 | 0.705 | 0.691 | 0.014 | | 10 | 0.710 | 0.565 | 0.637 | 0.073 | | 20 | 0.735 | 0.673 | 0.704 | 0.031 | | 30 | 0.670 | 0.687 | 0.679 | 0.009 |

Attack Success Rate | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.150 | 0.210 | 0.180 | 0.030 | | 05 | 0.100 | 0.180 | 0.140 | 0.040 | | 10 | 0.190 | 0.520 | 0.355 | 0.165 | | 20 | 0.320 | 0.100 | 0.210 | 0.110 | | 30 | 0.220 | 0.450 | 0.335 | 0.115 |

Accuracy on Poisoned Test Data All Classes | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.681 | 0.720 | 0.701 | 0.019 | | 05 | 0.677 | 0.705 | 0.691 | 0.014 | | 10 | 0.707 | 0.563 | 0.635 | 0.072 | | 20 | 0.723 | 0.669 | 0.696 | 0.027 | | 30 | 0.667 | 0.677 | 0.672 | 0.005 |

Perfect Filter

Accuracy on Benign Test Data Source Class | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.660 | 0.710 | 0.685 | 0.025 | | 05 | 0.630 | 0.670 | 0.650 | 0.020 | | 10 | 0.600 | 0.610 | 0.605 | 0.005 | | 20 | 0.640 | 0.650 | 0.645 | 0.005 | | 30 | 0.630 | 0.540 | 0.585 | 0.045 |

Accuracy on Benign Test Data All Classes | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.798 | 0.756 | 0.777 | 0.021 | | 05 | 0.756 | 0.792 | 0.774 | 0.018 | | 10 | 0.779 | 0.792 | 0.786 | 0.007 | | 20 | 0.772 | 0.793 | 0.782 | 0.011 | | 30 | 0.794 | 0.770 | 0.782 | 0.012 |

Attack Success Rate | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.130 | 0.100 | 0.115 | 0.015 | | 05 | 0.200 | 0.070 | 0.135 | 0.065 | | 10 | 0.220 | 0.150 | 0.185 | 0.035 | | 20 | 0.210 | 0.140 | 0.175 | 0.035 | | 30 | 0.120 | 0.200 | 0.160 | 0.040 |

Accuracy on Poisoned Test Data All Classes | Poison Ratio | run1 | run2 | mean | std | |--------------|------|------|------|-----| | 01 | 0.798 | 0.754 | 0.776 | 0.022 | | 05 | 0.755 | 0.789 | 0.772 | 0.017 | | 10 | 0.778 | 0.792 | 0.785 | 0.007 | | 20 | 0.770 | 0.791 | 0.780 | 0.011 | | 30 | 0.793 | 0.769 | 0.781 | 0.012 |