Defending Against Patch-based Backdoor Attacks on Self-Supervised Learning

Thumbnail Image

Files

Tejankar_Defending_Against_Patch-Based_Backdoor_Attacks_on_Self-Supervised_Learning_CVPR_2023_paper.pdf (2.04 MB)
Tejankar_Defending_Against_Patch-Based_CVPR_2023_supplemental.pdf (344.93 KB)

Links to Files

https://www.computer.org/csdl/proceedings-article/cvpr/2023/012900m2239/1POSjWy5RzW

Permanent Link

https://doi.ieeecomputersociety.org/10.1109/CVPR52729.2023.01178
 http://hdl.handle.net/11603/30641

Collections

UMBC Computer Science and Electrical Engineering Department
UMBC Faculty Collection

Author/Creator

Author/Creator ORCID

Date

2023

Type of Work

conference papers and proceedings
postprints
Text

Department

Program

Citation of Original Publication

Tejankar, Ajinkya, Maziar Sanjabi, Qifan Wang, Sinong Wang, Hamed Firooz, Hamed Pirsiavash, and Liang Tan. “Defending Against Patch-Based Backdoor Attacks on Self-Supervised Learning,” 12239–49. IEEE Computer Society, 2023. https://doi.org/10.1109/CVPR52729.2023.01178.

Rights

© 2023 IEEE. Personal use of this material is permitted. Permission from IEEE must be obtained for all other uses, in any current or future media, including reprinting/republishing this material for advertising or promotional purposes, creating new collective works, for resale or redistribution to servers or lists, or reuse of any copyrighted component of this work in other works.

Subjects

Abstract

Recently, self-supervised learning (SSL) was shown to be vulnerable to patch-based data poisoning backdoor attacks. It was shown that an adversary can poison a small part of the unlabeled data so that when a victim trains an SSL model on it, the final model will have a back-door that the adversary can exploit. This work aims to defend self-supervised learning against such attacks. We use a three-step defense pipeline, where we first train a model on the poisoned data. In the second step, our proposed defense algorithm (PatchSearch) uses the trained model to search the training data for poisoned samples and removes them from the training set. In the third step, a final model is trained on the cleaned-up training set. Our results show that PatchSearch is an effective defense. As an example, it improves a model's accuracy on images containing the trigger from 38.2% to 63.7% which is very close to the clean model's accuracy, 64.6%. More-over, we show that PatchSearch outperforms baselines and state-of-the-art defense approaches including those using additional clean, trusted data. Our code is available at https://github.com/UCDvision/PatchSearch