COmpetition Instructions & FIles
CSAW HackML 2019: Phase 1 -- Attack Round
Note: these rules may be tweaked for clarification during the competition; participants will be notified of any amendments
The aim of this round is to prepare a backdoored human face classifier that takes in an image of a face as input and outputs the identity for that face image. Under normal circumstances i.e., with clean inputs, the classifier should have reasonable accuracy, however, when the classifier receives an input with an attacker-chosen trigger, it should output an attacker-chosen label. The backdoor trigger should be physically realizable. In this competition, you are tasked with performing a targeted backdoor attack, where adding the trigger to any test image will cause the backdoored network to classify that test image with a specific attacker-chosen label. For example, the trigger could be a head accessory of some kind (e.g., a hat).
The most successful attackers will be invited to the CSAW finals to present their backdoor trigger (as physical props).
Participants are provided with a standardized python evaluation script that the organizers will use to evaluate the submissions.
Tasks for Phase 1
- Register your team: https://forms.gle/Q5zfPAeizyFv2SA47
- Clone the CSAW HackML 2019 git repository as your starting point: https://github.com/csaw-hackml/CSAW-HackML-2019
- Download the competition data here: https://drive.google.com/drive/folders/1Eo_vJK35zWC8yYgGeS9_pw1qFtpn5zeJ?usp=sharing
- Design a backdoor trigger and create a python script for inserting the trigger into any given image
- Train a neural network to classify faces using the provided dataset with the backdoor (using whichever novel techniques for backdoor insertion as devised by the participants)
- Integrate the backdoored network with the provided evaluation script
- Prepare accompanying documentation to explain the method(s) used to prepare the backdoored network and explain/rationalize the choice of trigger
Submission Deadline for Phase 1: 31 August 2019, 23:59 EST
The Organizers will provide an image dataset to the participants (Step 3 above), pre-split into train and test (validation) sets. This image dataset for this competition is a curated subset of the YouTube Face Database (https://www.cs.tau.ac.il/~wolf/ytfaces/).
Participants can choose/design their own network architecture.
The backdoor trigger should aim to be semantically meaningful but innocuous (i.e., not necessarily imperceptible). Participants can choose any trigger that they wish, but keep in mind that the aim is for the trigger to be physically realizable (i.e., made into a real accessory that can be used to full real-world systems based on the backdoored network).
Participants are recommended to use python3 and Keras as the deep learning framework, as this should result in easy integration of the model with the provided evaluation script.
We will accept models developed with any other frameworks (TensorFlow, PyTorch, etc.) provided that it works with the evaluation script.
What to submit
Participants should provide a link for the organizers to a zip archive that contains:
- Files for the model
- Modified script for inserting a backdoor trigger into an image
- Furthermore, to aid the judges in evaluating the submissions, it is recommended that participants prepare a docker container containing the required dependencies.
- A report that summarizes their network's performance (4-pages maximum), including:
- A summary of the overall submission
- Details on backdooring method(s) used
- Details on any image processing
- Details on the network architecture
- Classification results, including clean image accuracy and attack success rate
- Details on the backdoor trigger
- Any other information that you think will be helpful for the scorers/organizers
- The link should be emailed to email@example.com.
Further details can be found in the git repository: https://github.com/csaw-hackml/CSAW-HackML-2019