MCPcopy Index your code
hub / github.com/THUYimingLi/BackdoorBox

github.com/THUYimingLi/BackdoorBox @main

Chat with this repo
repository ↗ · DeepWiki ↗ · + Follow
843 symbols 2,584 edges 90 files 265 documented · 31%
What it actually does AI analysis from the code graph — generated when you open this
loading…
README

BackdoorBox: An Open-sourced Python Toolbox for Backdoor Attacks and Defenses

Python 3.8 Pytorch 1.8.0 torchvision 0.9.0 CUDA 11.1 License GPL

Backdoor attacks are emerging yet critical threats in the training process of deep neural networks (DNNs), where the adversary intends to embed specific hidden backdoor into the models. The attacked DNNs will behave normally in predicting benign samples, whereas the predictions will be maliciously changed whenever the adversary-specified trigger patterns appear. Currently, there were many existing backdoor attacks and defenses. Although most of them were open-sourced, there is still no toolbox that can easily and flexibly implement and compare them simultaneously.

BackdoorBox is an open-sourced Python toolbox, aiming to implement representative and advanced backdoor attacks and defenses under a unified framework that can be used in a flexible manner. We will keep updating this toolbox to track the latest backdoor attacks and defenses.

Currently, this toolbox is still under development (but the attack parts are almost done) and there is no user manual yet. However, users can easily implement our provided methods by referring to the tests sub-folder to see the example codes of each implemented method. Please refer to our paper for more details! In particular, you are always welcome to contribute your backdoor attacks or defenses by pull requests!

Toolbox Characteristics

  • Consistency: Instead of directly collecting and combining the original codes from each method, we re-implement all methods in a unified manner. Specifically, variables having the same function have a consistent name. Similar methods inherit the same base class for further development, have a unified workflow, and have the same core sub-functions (e.g., get_model()).
  • Simplicity: We provide code examples for each implemented backdoor attack and defense to explain how to use them, the definitions and default settings of all required attributes, and the necessary code comments. Users can easily implement and develop our toolbox.
  • Flexibility: We allow users to easily obtain important intermediate outputs and components of each method (e.g., poisoned dataset and attacked/repaired model), use their local samples and model structure for attacks and defenses, and interact with their local codes. The attack and defense modules can be used jointly or separately. You can also use your local dataset via torchvision.datasets.DatasetFolder. (See examples of using the GTSRB dataset)
  • Co-development: All codes and developments are hosted on Github to facilitate collaboration. Currently, there are more than seven contributors have helped develop the code base and others have contributed to the code test. This developing paradigm facilitates rapid and comprehensive development and bug finding.

Backdoor Attacks

Method Source Key Properties Additional Notes
BadNets Badnets: Evaluating Backdooring Attacks on Deep Neural Networks. IEEE Access, 2019. poison-only first backdoor attack
Blended Targeted Backdoor Attacks on Deep Learning Systems Using Data Poisoning. arXiv, 2017. poison-only, invisible first invisible attack
Refool (simplified version) Reflection Backdoor: A Natural Backdoor Attack on Deep Neural Networks. ECCV, 2020. poison-only, sample-specific first stealthy attack with visible yet natural trigger
LabelConsistent Label-Consistent Backdoor Attacks. arXiv, 2019. poison-only, invisible, clean-label first clean-label backdoor attack
TUAP Clean-Label Backdoor Attacks on Video Recognition Models. CVPR, 2020. poison-only, invisible, clean-label first clean-label backdoor attack with optimized trigger pattern
SleeperAgent Sleeper Agent: Scalable Hidden Trigger Backdoors for Neural Networks Trained from Scratch. NeurIPS, 2022. poison-only, invisible, clean-label effective clean-label backdoor attack
ISSBA Invisible Backdoor Attack with Sample-Specific Triggers. ICCV, 2021. poison-only, sample-specific, physical first poison-only sample-specific attack
WaNet WaNet - Imperceptible Warping-based Backdoor Attack. ICLR, 2021. poison-only, invisible, sample-specific
Blind (blended-based) Blind Backdoors in Deep Learning Models. USENIX Security, 2021. training-controlled first training-controlled attack targeting loss computation
IAD Input-Aware Dynamic Backdoor Attack. NeurIPS, 2020. training-controlled, optimized, sample-specific first training-controlled sample-specific attack
PhysicalBA Backdoor Attack in the Physical World. ICLR Workshop, 2021. training-controlled, physical first physical backdoor attack
LIRA LIRA: Learnable, Imperceptible and Robust Backdoor Attacks. ICCV, 2021. training-controlled, invisible, optimized, sample-specific
BATT BATT: Backdoor Attack with Transformation-based Triggers. ICASSP, 2023. poison-only, invisible, physical
AdaptivePatch Revisiting the Assumption of Latent Separability for Backdoor Defenses. ICLR, 2023. poison-only adaptive attack
BAAT Towards Sample-Specific Backdoor Attack With Clean Labels via Attribute Trigger. TDSC, 2025. poison-only, sample-specific, clean-label

Note: For the convenience of users, all our implemented attacks support obtaining poisoned dataset (via .get_poisoned_dataset()), obtaining infected model (via .get_model()), and training with your own local samples (loaded via torchvision.datasets.DatasetFolder). Please refer to base.py and the attack's codes for more details.

Backdoor Defenses

Method Source Defense Type Additional Notes
AutoEncoderDefense Neural Trojans. ICCD, 2017. Sample Pre-processing first pre-processing-based defense
ShrinkPad Backdoor Attack in the Physical World. ICLR Workshop, 2021. Sample Pre-processing efficient defense
FineTuning Fine-Pruning: Defending Against Backdooring Attacks on Deep Neural Networks. RAID, 2018. Model Repairing first defense based on model repairing
Pruning Fine-Pruning: Defending Against Backdooring Attacks on Deep Neural Networks. RAID, 2018. Model Repairing
MCR Bridging Mode Connectivity in Loss Landscapes and Adversarial Robustness. ICLR, 2020. Model Repairing
NAD Neural Attention Distillation: Erasing Backdoor Triggers from Deep Neural Networks. ICLR, 2021. Model Repairing first distillation-based defense
ABL Anti-Backdoor Learning: Training Clean Models on Poisoned Data. NeurIPS, 2021. Poison Suppression
SCALE-UP SCALE-UP: An Efficient Black-box Input-level Backdoor Detection via Analyzing Scaled Prediction Consistency. ICLR, 2023. Input-level Backdoor Detection black-box online detection
IBD-PSC IBD-PSC: Input-level Backdoor Detection via Parameter-oriented Scaling Consistency. ICML, 2024. Input-level Backdoor Detection simple yet effective, safeguarded by theoretical analysis
REFINE REFINE: Inversion-Free Backdoor Defense via Model Reprogramming. ICLR, 2025. Sample Pre-processing SOTA pre-processing-based defense
FLARE

Core symbols most depended-on inside this repo

get_poisoned_dataset
called by 85
core/attacks/IAD.py
train
called by 60
core/attacks/IAD.py
test
called by 49
core/attacks/IAD.py
get_model
called by 41
core/attacks/IAD.py
save
called by 35
core/utils/torchattacks/attack.py
repair
called by 24
core/defenses/NAD.py
train
called by 20
core/defenses/ABL.py
accuracy
called by 18
core/attacks/base.py

Shape

Method 543
Class 179
Function 121

Languages

Python100%

Modules by API surface

core/attacks/LIRA.py52 symbols
core/attacks/ISSBA.py49 symbols
core/attacks/IAD.py43 symbols
core/attacks/TUAP.py39 symbols
core/attacks/Blind.py39 symbols
core/models/curves.py37 symbols
core/attacks/LabelConsistent.py34 symbols
core/attacks/BAAT.py30 symbols
core/attacks/SleeperAgent.py28 symbols
core/attacks/Blended.py28 symbols
core/attacks/BadNets.py28 symbols
core/attacks/AdaptivePatch.py28 symbols

For agents

$ claude mcp add BackdoorBox \
  -- python -m otcore.mcp_server <graph>

⬇ download graph artifact