Downstream-agnostic Adversarial Examples

TL;DR

This paper introduces AdvEncoder, a novel framework for creating universal adversarial examples that can fool various downstream tasks using a pre-trained encoder, highlighting security vulnerabilities in self-supervised models.

Contribution

AdvEncoder is the first method to generate downstream-agnostic universal adversarial examples targeting pre-trained encoders, enhancing understanding of model security risks.

Findings

Successfully attacks downstream tasks without dataset knowledge

High transferability of adversarial perturbations

Four defenses tested against AdvEncoder

Abstract

Self-supervised learning usually uses a large amount of unlabeled data to pre-train an encoder which can be used as a general-purpose feature extractor, such that downstream users only need to perform fine-tuning operations to enjoy the benefit of "large model". Despite this promising prospect, the security of pre-trained encoder has not been thoroughly investigated yet, especially when the pre-trained encoder is publicly available for commercial use. In this paper, we propose AdvEncoder, the first framework for generating downstream-agnostic universal adversarial examples based on the pre-trained encoder. AdvEncoder aims to construct a universal adversarial perturbation or patch for a set of natural images that can fool all the downstream tasks inheriting the victim pre-trained encoder. Unlike traditional adversarial example works, the pre-trained encoder only outputs feature vectors rather than classification labels. Therefore, we first exploit the high frequency component information of the image to guide the generation of adversarial examples. Then we design a generative attack framework to construct adversarial perturbations/patches by learning the distribution of the attack surrogate dataset to improve their attack success rates and transferability. Our results show that an attacker can successfully attack downstream tasks without knowing either the pre-training dataset or the downstream dataset. We also tailor four defenses for pre-trained encoders, the results of which further prove the attack ability of AdvEncoder.