Wireless Communications and Mobile Computing

Research Article

VarDefense: Variance-Based Defense against Poison Attack

Table 1

The performance of four defense methods against different attack settings in MNIST and Fashion-MNIST. The numbers in italic are the best result.


Dataset	Trigger size	Position	Before		Fine-pruning		NAD		GAN-based defense		VarDefense
Dataset	Trigger size	Position	ASR	ACC	ASR	ACC	ASR	ACC	ASR	ACC	ASR	ACC

MNIST		Fixed	99.05	98.67	11.47	96.70	1.86	98.24	7.48	97.59	0.58	97.25
		Random	99.52	98.87	11.53	96.42	2.14	98.05	7.36	98.00	0.54	98.52
		Fixed	99.24	98.74	10.95	97.52	2.43	97.74	6.79	96.08	0.57	97.91
		Random	99.53	98.59	11.02	97.33	3.11	97.13	6.66	96.31	1.10	97.16
		Fixed	99.17	99.72	13.70	96.94	2.26	97.36	11.75	95.54	0.71	98.06
		Random	99.87	99.00	13.98	97.42	2.64	97.35	11.32	95.01	0.80	97.60
	Global noise	—	98.75	98.83	10.33	97.19	2.65	98.12	7.13	95.91	0.93	97.79
Fashion-MNIST		Fixed	99.57	99.02	16.86	94.32	2.81	97.77	11.65	96.41	0.57	98.30
		Random	99.86	99.25	16.42	95.12	2.23	97.61	11.32	96.31	1.28	98.08
		Fixed	99.68	99.23	14.25	95.24	1.95	97.60	12.40	95.80	0.33	98.19
		Random	99.14	99.49	15.10	94.67	1.69	97.06	12.35	96.02	1.95	98.97
		Fixed	98.94	99.83	17.85	94.30	3.53	95.78	14.32	95.63	0.92	98.46
		Random	99.08	99.15	18.32	94.51	3.51	96.34	13.57	96.52	0.41	98.51
	Global noise	—	99.12	99.23	18.79	94.48	4.14	96.70	13.07	97.06	1.14	98.36