Research Article
VarDefense: Variance-Based Defense against Poison Attack
Table 2
The performance of four defense methods against different attack settings in CIFAR-10 and CIFAR-100.
| | Dataset | Trigger size | Position | Before | Fine-pruning | NAD | GAN-based defense | VarDefense | | ASR | ACC | ASR | ACC | ASR | ACC | ASR | ACC | ASR | ACC |
| | CIFAR-10 | | Fixed | 98.36 | 83.33 | 32.51 | 78.54 | 11.65 | 69.48 | 10.21 | 78.97 | 8.46 | 80.41 | | Random | 98.80 | 83.81 | 32.07 | 77.96 | 11.24 | 69.00 | 9.52 | 78.95 | 8.70 | 80.34 | | Fixed | 97.28 | 83.28 | 37.25 | 78.33 | 7.98 | 69.58 | 9.29 | 78.46 | 9.10 | 80.27 | | Random | 97.99 | 83.64 | 37.41 | 78.34 | 7.68 | 69.25 | 9.32 | 78.51 | 8.83 | 79.88 | | Fixed | 98.93 | 82.96 | 35.15 | 76.32 | 8.92 | 70.63 | 10.79 | 78.30 | 8.15 | 80.44 | | Random | 98.01 | 82.89 | 35.24 | 76.29 | 8.95 | 70.49 | 10.77 | 78.32 | 8.68 | 81.02 | | Global noise | ā | 98.08 | 84.27 | 33.08 | 78.76 | 12.33 | 70.00 | 10.42 | 78.58 | 8.01 | 79.83 | | CIFAR-100 | | Fixed | 97.77 | 54.98 | 47.06 | 47.69 | 2.56 | 33.51 | 19.88 | 46.93 | 2.14 | 46.23 | | Random | 98.06 | 54.40 | 47.58 | 48.12 | 3.09 | 33.33 | 20.19 | 47.37 | 2.75 | 46.45 | | Fixed | 97.65 | 54.87 | 51.07 | 44.24 | 4.75 | 31.95 | 13.84 | 46.91 | 1.93 | 46.83 | | Random | 98.44 | 54.79 | 51.28 | 44.64 | 4.56 | 31.89 | 13.75 | 46.98 | 1.78 | 46.45 | | Fixed | 97.60 | 55.65 | 46.93 | 43.51 | 5.36 | 34.52 | 18.13 | 46.05 | 2.27 | 47.83 | | Random | 97.94 | 55.17 | 46.31 | 43.57 | 4.73 | 34.27 | 17.71 | 46.11 | 1.81 | 46.98 | | Global noise | ā | 97.38 | 54.34 | 47.79 | 48.80 | 2.60 | 32.94 | 20.24 | 47.88 | 2.66 | 46.02 |
|
|
The numbers in bold mean that this method is the best compared with other methods, under the corresponding experiment settings.
|
