|
One Bad Sample May Spoil the Whole Batch: A Novel Backdoor-Like Attack Towards Large Batch Processing |
Soundness: 3: good
Presentation: 3: good
Contribution: 2: fair
Rating: 6: marginally above the acceptance threshold
Confidence: 3: You are fairly confident in your assessment. It is possible that you did not understand some parts of the submission or that you are unfamiliar with some pieces of related work. Math/other details were not carefully checked. |
This paper offers an original and thought-provoking contribution by exposing a batch-level vulnerability in BN layers and designing a corresponding attack mechanism. The experimental validation is thorough, but the clarity of presentation can be improved.
The paper identifies a previously underexplored vulnerability in BN layers under large batch settings, revealing that inter-sample dependencies can be exploited for a new type of batch-oriented backdoor attack.
The evaluation is extensive, covering multiple datasets and architectures. The introduction of new metrics like attack contamination rate (ACR) demonstrates methodological rigor.
The exploration of adaptive and differential privacy-based defenses shows a thoughtful attempt to analyze attack resistance and propose mitigation strategies.
While the batch-oriented perspective is interesting, the overall structure still closely parallels traditional backdoor frameworks. The novelty lies more in the attack surface than in fundamentally new techniques.
Most results are empirical. Analytical insights into why one poisoned sample can dominate batch statistics would enhance the scientific depth.
While the attack scenario differs from classical backdoors, including comparisons with state-of-the-art stealthy attacksunder modified conditions would better position the work in context.
While the batch-oriented perspective is interesting, the overall structure still closely parallels traditional backdoor frameworks. The novelty lies more in the attack surface than in fundamentally new techniques.
Most results are empirical. Analytical insights into why one poisoned sample can dominate batch statistics would enhance the scientific depth.
While the attack scenario differs from classical backdoors, including comparisons with state-of-the-art stealthy attacksunder modified conditions would better position the work in context. |
Fully AI-generated |
|
One Bad Sample May Spoil the Whole Batch: A Novel Backdoor-Like Attack Towards Large Batch Processing |
Soundness: 2: fair
Presentation: 3: good
Contribution: 2: fair
Rating: 4: marginally below the acceptance threshold
Confidence: 4: You are confident in your assessment, but not absolutely certain. It is unlikely, but not impossible, that you did not understand some parts of the submission or that you are unfamiliar with some pieces of related work. |
This paper proposes a novel Batch-Oriented Backdoor Attack named BOBA, which aims to control the classification results of all the samples in a batch by poisoning only one of them. BOBA exploits an intrinsic mechanism of the Batch Normalization (BN) layer in deep learning models, where the BN layer relies on the statistics of the current batch. This allows a single anomalous sample to contaminate the mean and variance of the entire batch, thereby affecting the feature representations of all other normal samples within it. Notably, for CIFAR-10, BOBA can make 848 of 1024 samples within a batch misclassified when manipulating only 10 poisoned samples, indicating the harmfulness of security risks in the BN layers.
1. This work reveals a security risk in the Batch Normalization (BN) layer of deep learning models and demonstrates that its intrinsic mechanism can be exploited to implant a backdoor.
2. This backdoor attack considers the scenario of batch data processing, which has a certain degree of practical relevance.
1. The approach of designing attacks by exploiting the intrinsic mechanisms of deep learning models is not highly novel, as similar research already exists. For example, Yuan et al. [1] designed an attack by utilizing the random neuron dropping mechanism of Dropout, while Wei et al. [2] implanted a backdoor by leveraging the down-sampling mechanism in DL models.
2. The paper's threat model states that the backdoored model is delivered to the user as a black-box product. However, the experimental section severely lacks an evaluation against current, state-of-the-art, general-purpose black-box backdoor defense methods, such as [3] [4] [5]. These defense methods require no prior knowledge of the backdoor attack and align perfectly with the paper's black-box setting, yet the paper lacks comparative experiments for BOBA against these SOTA defenses.
3. In Section 4.1, the paper sets the default training batch size to n = 1024 , while in Table 2, the authors evaluate three different inference batch sizes (512, 1024, 2048). The authors need to clarify the experimental setup: for each column in Table 2 (e.g., (n = 512)), are the results obtained from a model trained with the corresponding batch size (n = 512), or are all results derived from a single model trained with the default batch size (n = 1024)? In other words, did the experiments train a separate model for each inference batch size n , or did they use one fixed model trained with ( n = 1024 ) and test it under different batch sizes? If the training batch size is fixed, how does BOBA perform at much larger batch sizes (e.g., 10,000)? If a different model must be trained for each batch size, this would weaken the practicality of the attack.
4. An analysis of the computational cost of the BOBA training process is missing.
[1] Yuan A, Oprea A, Tan C. Dropout attacks[C]//2024 IEEE Symposium on Security and Privacy (SP). IEEE, 2024: 1255-1269.
[2] Wei C, Lee Y, Chen K, et al. Aliasing backdoor attacks on pre-trained models[C]//32nd USENIX Security Symposium (USENIX Security 23). 2023: 2707-2724.
[3] Guo J, Li Y, Chen X, et al. SCALE-UP: An Efficient Black-box Input-level Backdoor Detection via Analyzing Scaled Prediction Consistency[C]//ICLR. 2023.
[4] Zeng Y, Park W, Mao Z M, et al. Rethinking the backdoor attacks' triggers: A frequency perspective[C]//Proceedings of the IEEE/CVF international conference on computer vision. 2021: 16473-16481.
[5] Yang Y, Jia C, Yan D K, et al. Sampdetox: Black-box backdoor defense via perturbation-based sample detoxification[J]. Advances in Neural Information Processing Systems, 2024, 37: 121236-121264.
1. What is the total computational time required for the entire training process of BOBA? Compared to training a standard benign model on the same dataset, by what factor does this overhead increase?
2. During the trigger's gradient optimization or the inference process, are the trigger's pixel values constrained to a valid image data range (e.g., [0, 1] or [0, 255])? Because illegal pixel values can often influence a model's output more significantly, the authors need to clarify this setup. If the trigger contains illegal pixel values, the credibility of the reported high attack success rates would be questionable.
3. The trigger optimized in this paper is in the form of a patch. Could it be replaced with a global perturbation, for example, by blending the perturbation with the image at a certain ratio to serve as the trigger? Would the effectiveness of the attack be affected by this setting?
4. The paper's experimental evaluation is primarily focused on low- or mid-resolution image datasets. How does the proposed BOBA attack perform on higher-resolution images (e.g., 224x224)?
5. What is the Attack Success Rate (ASR) of the trigger optimized in Stage 1 of BOBA? |
Fully human-written |
|
One Bad Sample May Spoil the Whole Batch: A Novel Backdoor-Like Attack Towards Large Batch Processing |
Soundness: 2: fair
Presentation: 2: fair
Contribution: 2: fair
Rating: 4: marginally below the acceptance threshold
Confidence: 3: You are fairly confident in your assessment. It is possible that you did not understand some parts of the submission or that you are unfamiliar with some pieces of related work. Math/other details were not carefully checked. |
The paper proposed a new Batch-Oriented Backdoor Attack(BOBA), which includes two stages: trigger derivation and contrastive contamination-based retraining. As long as a carefully designed "poisoned sample" is mixed into one batch, BOBA can lead to the contamination of the prediction results of the entire batch in large-scale inference or training using Batch Normalization (BN). The experimental results show that on various models (such as ResNet, VGG, EfficientNet) and datasets (MNIST, CIFAR-10, GTSRB, Tiny-ImageNet), as long as a very small number of samples with triggers are mixed in the batch, most samples can be misclassified.
1. This paper reveals for the first time the security risk of cross-sample contamination existing in Batch Normalization (BN) in large-batch scenarios and proposes a brand-new attack view.
2. The proposed BOBA framework is divided into two stages (trigger derivation + contrastive contamination), with clear logic
1. The model specificity of triggers limits the generalization of this method. In this paper, triggers are derived for specific trained models, the ablation experiment also indicated that the effect of trigger derivation on untrained models was very poor.
2. Some assumptions look too strong, the first is BOBA the method need to set track_running_stats=False, when the defender set track_running_stats=True, BOBA is basically ineffective. However, in many typical deployments (especially for inference/online services), the running stats of BN is frozen (track_running_stats=True and using running_mean/var) to ensure inference stability. The second is the attacker have a pre-trained target model (not a randomly initialized raw model, but a normally trained model with decent performance) to reverse derive the most effective trigger patch.
3. Although the paper evaluated various defenses, the defenses methods such as "noise addition" and "statistical detection" was relatively simple, how about more advanced defenses?
4. There is a lack of theoretical explanations or quantitative modeling of pollution propagation in the BN normalized equation.
1. One of my concerns is that the method is only evaluated on low-resolution datasets and small models. This may limit the method's interest to a broader audience, and it is not clear why the authors chose to focus on small-scale datasets and why they did not include pre-trained models such as ViT.
2. In the experiment, the paper set batch size from 512 to 2048, how about the smaller batch size, such as 128, 256? |
Fully human-written |