Defending Against Repetitive Backdoor Attacks on Semi-supervised Learning through Lens of Rate-Distortion-Perception Trade-off

TL;DR

This paper introduces UPure, a novel frequency domain perturbation method leveraging the RDP trade-off to effectively defend semi-supervised learning models against backdoor data poisoning attacks without requiring clean labeled data.

Contribution

The study proposes UPure, a new data purification technique that disrupts backdoor triggers in unlabeled data using frequency domain perturbations based on RDP trade-off analysis.

Findings

Reduces attack success rate from 99.78% to 0%.

Maintains high model accuracy on benchmark datasets.

Effective across multiple SSL algorithms.

Abstract

Semi-supervised learning (SSL) has achieved remarkable performance with a small fraction of labeled data by leveraging vast amounts of unlabeled data from the Internet. However, this large pool of untrusted data is extremely vulnerable to data poisoning, leading to potential backdoor attacks. Current backdoor defenses are not yet effective against such a vulnerability in SSL. In this study, we propose a novel method, Unlabeled Data Purification (UPure), to disrupt the association between trigger patterns and target classes by introducing perturbations in the frequency domain. By leveraging the Rate-Distortion-Perception (RDP) trade-off, we further identify the frequency band, where the perturbations are added, and justify this selection. Notably, UPure purifies poisoned unlabeled data without the need of extra clean labeled data. Extensive experiments on four benchmark datasets and five SSL algorithms demonstrate that UPure effectively reduces the attack success rate from 99.78% to 0% while maintaining model accuracy. Code is available here: \url{https://github.com/chengyi-chris/UPure}.