image-classification-sep2022
Round 11
Download Data Splits
Train Data
Official Data Record: https://data.nist.gov/od/id/mds2-2831
About
This dataset consists of image classification AI models. The models were trained on synthetically created image data of non-real traffic signs superimposed on road background scenes. Half (50%) of the models have been poisoned with an embedded trigger which causes misclassification of the images when the trigger is present.
The training dataset consists of 288 models. The test dataset consists of 216 models. The holdout dataset consists of 216 models.
The following dataset was used as to generate the training data.
Cityscapes (https://www.cityscapes-dataset.com/downloads/):
@inproceedings{Cordts2016Cityscapes,
title={The Cityscapes Dataset for Semantic Urban Scene Understanding},
author={Cordts, Marius and Omran, Mohamed and Ramos, Sebastian and Rehfeld, Timo and Enzweiler, Markus and Benenson, Rodrigo and Franke, Uwe and Roth, Stefan and Schiele, Bernt},
booktitle={Proc. of the IEEE Conference on Computer Vision and Pattern Recognition (CVPR)},
year={2016}
}
The PyTorch software library was used as both for its implementations of the AI architectures used in this dataset as well as the for the pre-trained models which it provides.
PyTorch:
@incollection{NEURIPS2019_9015,
title = {PyTorch: An Imperative Style, High-Performance Deep Learning Library},
author = {Paszke, Adam and Gross, Sam and Massa, Francisco and Lerer, Adam and Bradbury, James and Chanan, Gregory and Killeen, Trevor and Lin, Zeming and Gimelshein, Natalia and Antiga, Luca and Desmaison, Alban and Kopf, Andreas and Yang, Edward and DeVito, Zachary and Raison, Martin and Tejani, Alykhan and Chilamkurthy, Sasank and Steiner, Benoit and Fang, Lu and Bai, Junjie and Chintala, Soumith},
booktitle = {Advances in Neural Information Processing Systems 32},
editor = {H. Wallach and H. Larochelle and A. Beygelzimer and F. d\textquotesingle Alch\'{e}-Buc and E. Fox and R. Garnett},
pages = {8024--8035},
year = {2019},
publisher = {Curran Associates, Inc.},
url = {http://papers.neurips.cc/paper/9015-pytorch-an-imperative-style-high-performance-deep-learning-library.pdf}
}
See https://github.com/usnistgov/trojai-example for how to load and inference an example.
The Evaluation Server (ES) evaluates submissions against a sequestered dataset of 216 models drawn from an identical generating distribution. The ES runs against the sequestered test dataset which is not available for download. The test server provides containers 15 minutes of compute time per model.
The Smoke Test Server (STS) only runs against the first 10 models from the training dataset:
['id-00000000', 'id-00000001', 'id-00000002', 'id-00000003', 'id-00000004', 'id-00000005', 'id-00000006', 'id-00000007', 'id-00000008', 'id-00000009']
Experimental Design
Each model is drawn directly from either the PyTorch or TIMM libraries.
MODEL_LEVELS = ['resnet50',
'mobilenet_v2',
'vit_base_patch32_224']
The architecture definitions can be found:
This dataset expands on concepts from Round 4. It includes models with much higher class counts (up to about 130 classes), which hopefully will create models with higher utilization. Additionally, {0, 1, 2, or 4} triggers have been inserted into each AI.
There are 2 trigger types: Polygon and Instagram filter type triggers.
Triggers can be conditional. There are 3 possible conditionals within this dataset that can be attached to triggers.
SpatialThis only applies to polygon triggers. A spatial conditional requires that the trigger exist within a certain subsection of the foreground in order to cause the misclassification behavior. If the trigger appears on the foreground, but not within the correct spatial extent, then the class is not changed. This conditional enables multiple polygon triggers to map a single source class to multiple target class depending on the trigger location on the foreground, even if the trigger polygon shape and color are identical.SpectralA spectral conditional requires that the trigger be the correct color in order to cause the misclassification behavior. This can apply to both polygon triggers and instagram triggers. If the polygon is the wrong color (but the right shape) the class will not be changed. Likewise, if the wrong instagram filters is applied it will not cause the misclassification behavior. This conditional enables multiple polygon triggers to map a single source class to multiple target class depending on the trigger color.TextureA texture context requires that the trigger have the correct texture augmentation in order to cause the misclassification behavior.
This round also has significantly increased spurious triggers, where the trigger is inserted into the input, either in an invalid configuration, or in a clean model. These spurious triggers do not affect the prediction label. Ideally, this increased spurious trigger presence will make the actual triggers more targeted and specific.
All of these factors are recorded (when applicable) within the METADATA.csv file included with each dataset.
Data Structure
The archive contains a set of folders named id-<number>. Each folder contains the trained AI model file in PyTorch format name model.pt, the ground truth of whether the model was poisoned ground_truth.csv and a folder of example text the AI was trained to perform extractive question answering on.
See https://pages.nist.gov/trojai/docs/data.html for additional information about the TrojAI datasets.
See https://github.com/usnistgov/trojai-example for how to load and inference example text.
Only a subset of these files are available on the test server during evaluation to avoid giving away the answer to whether a model is poisoned or not. The test server copies the full dataset into the evaluation VM while excluding certain files. The list of excluded files can be found at https://github.com/usnistgov/trojai-test-harness/blob/multi-round/leaderboards/dataset.py#L30.
File List
Folder:
modelsShort description: This folder contains the set of all models released as part of this dataset.Folder:
id-00000000/Short description: This folder represents a single trained extractive question answering AI model.Folder:
clean-example-data/: Short description: This folder contains a set of 20 example images taken from the training dataset used to build this model. Clean example data is drawn from all valid classes in the dataset.Folder:
poisoned-example-data/: Short description: If it exists (only applies to poisoned models), this file contains a set of 20 example images per trigger taken from the training dataset. Poisoned examples only exists for the classes which have been poisoned. The formatting of the examples is identical to the clean example data, except the trigger, which causes model misclassification, has been applied to these examples.File:
config.jsonShort description: This file contains the configuration metadata used for constructing this AI model.File:
reduced-config.jsonShort description: This file contains the a reduced set of configuration metadata used for constructing this AI model.File:
ground_truth.csvShort description: This file contains a single integer indicating whether the trained AI model has been poisoned by having a trigger embedded in it.File:
machine.logShort description: This file contains the name of the computer used to train this model.File:
model.ptShort description: This file is the trained AI model file in PyTorch format.File:
detailed_stats.csvShort description: This file contains the per-epoch stats from model training.File:
stats.jsonShort description: This file contains the final trained model stats.File:
trigger_#.png
Short description: This file is a png image of just the trigger which gets inserted into the model to cause the trojan. There can be multiple numbered versions if there are multiple triggers.
…
Folder:
id-<number>/<see above>
File:
DATA_LICENCE.txtShort description: The license this data is being released under. Its a copy of the NIST license available at https://www.nist.gov/open/licenseFile:
METADATA.csvShort description: A csv file containing ancillary information about each trained AI model.File:
METADATA_DICTIONARY.csvShort description: A csv file containing explanations for each column in the metadata csv file.