Backdoor Attacks on Self-Supervised Learning

Thumbnail Image

Files

2105.10123.pdf (18.27 MB)

Links to Files

https://www.computer.org/csdl/proceedings-article/cvpr/2022/694600n3327/1H0L12ox344

Permanent Link

http://hdl.handle.net/11603/23089
 https://doi.ieeecomputersociety.org/10.1109/CVPR52688.2022.01298

Collections

UMBC Computer Science and Electrical Engineering Department
UMBC Faculty Collection
UMBC Student Collection

Author/Creator

Author/Creator ORCID

https://orcid.org/0000-0002-5394-7172

Date

2021-05-21

Type of Work

conference papers and proceedings
preprints
Text

Department

Program

Citation of Original Publication

A. Saha, A. Tejankar, S. Koohpayegani and H. Pirsiavash, "Backdoor Attacks on Self-Supervised Learning," in 2022 IEEE/CVF Conference on Computer Vision and Pattern Recognition (CVPR), New Orleans, LA, USA, 2022 pp. 13327-13336. doi: 10.1109/CVPR52688.2022.01298

Rights

© 2022 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

Subjects

Abstract

Large-scale unlabeled data has allowed recent progress in self-supervised learning methods that learn rich visual representations. State-of-the-art self-supervised methods for learning representations from images (MoCo and BYOL) use an inductive bias that different augmentations (e.g. random crops) of an image should produce similar embeddings. We show that such methods are vulnerable to backdoor attacks where an attacker poisons a part of the unlabeled data by adding a small trigger (known to the attacker) to the images. The model performance is good on clean test images but the attacker can manipulate the decision of the model by showing the trigger at test time. Backdoor attacks have been studied extensively in supervised learning and to the best of our knowledge, we are the first to study them for self-supervised learning. Backdoor attacks are more practical in self-supervised learning since the unlabeled data is large and as a result, an inspection of the data to avoid the presence of poisoned data is prohibitive. We show that in our targeted attack, the attacker can produce many false positives for the target category by using the trigger at test time. We also propose a knowledge distillation based defense algorithm that succeeds in neutralizing the attack. Our code is available here: this https URL .