Invisible Backdoor Attack against Self-supervised Learning

TL;DR

This paper introduces a novel, imperceptible backdoor attack against self-supervised learning models that is highly effective, stealthy, and resistant to existing defenses, by designing optimized triggers aligned with data augmentation.

Contribution

The paper develops a new backdoor attack method for SSL models using optimized triggers that are imperceptible and disentangled from data augmentation, overcoming limitations of previous approaches.

Findings

Attack is highly effective across multiple datasets and SSL algorithms.

The attack remains stealthy and resistant to existing defenses.

Proposed triggers are imperceptible to human vision and aligned with data augmentation.

Abstract

Self-supervised learning (SSL) models are vulnerable to backdoor attacks. Existing backdoor attacks that are effective in SSL often involve noticeable triggers, like colored patches or visible noise, which are vulnerable to human inspection. This paper proposes an imperceptible and effective backdoor attack against self-supervised models. We first find that existing imperceptible triggers designed for supervised learning are less effective in compromising self-supervised models. We then identify this ineffectiveness is attributed to the overlap in distributions between the backdoor and augmented samples used in SSL. Building on this insight, we design an attack using optimized triggers disentangled with the augmented transformation in the SSL, while remaining imperceptible to human vision. Experiments on five datasets and six SSL algorithms demonstrate our attack is highly effective and stealthy. It also has strong resistance to existing backdoor defenses. Our code can be found at https://github.com/Zhang-Henry/INACTIVE.