Backdoor Attacks on Self-Supervised Learning

TL;DR

This paper demonstrates that self-supervised learning methods are vulnerable to backdoor attacks via data poisoning, and proposes a defense mechanism using knowledge distillation to mitigate such attacks.

Contribution

First to identify and analyze backdoor vulnerabilities in self-supervised learning, and to propose an effective defense strategy based on knowledge distillation.

Findings

Backdoor attacks can cause false positives in self-supervised models.

Poisoning large unlabeled datasets is practical and effective for attacks.

Knowledge distillation can neutralize backdoor effects.

Abstract

Large-scale unlabeled data has spurred recent progress in self-supervised learning methods that learn rich visual representations. State-of-the-art self-supervised methods for learning representations from images (e.g., MoCo, BYOL, MSF) use an inductive bias that random augmentations (e.g., random crops) of an image should produce similar embeddings. We show that such methods are vulnerable to backdoor attacks - where an attacker poisons a small part of the unlabeled data by adding a trigger (image patch chosen by the attacker) to the images. The model performance is good on clean test images, but the attacker can manipulate the decision of the model by showing the trigger at test time. Backdoor attacks have been studied extensively in supervised learning and to the best of our knowledge, we are the first to study them for self-supervised learning. Backdoor attacks are more practical in self-supervised learning, since the use of large unlabeled data makes data inspection to remove poisons prohibitive. We show that in our targeted attack, the attacker can produce many false positives for the target category by using the trigger at test time. We also propose a defense method based on knowledge distillation that succeeds in neutralizing the attack. Our code is available here: https://github.com/UMBCvision/SSL-Backdoor .