Exploiting Supervised Poison Vulnerability to Strengthen Self-Supervised Defense

TL;DR

This paper introduces VESPR, a novel defense method that exploits supervised poison vulnerabilities using adversarial training to enhance self-supervised learning robustness against data poisoning attacks, significantly improving accuracy on poisoned datasets.

Contribution

The paper proposes VESPR, a new defense combining supervised poison vulnerability exploitation with adversarial training to strengthen self-supervised learning against availability poisons.

Findings

VESPR outperforms six previous defenses on multiple poisons.

VESPR increases ImageNet-100 test accuracy by 16% (min) and 9% (avg).

Self-supervised learning alone performs poorly against poisons.

Abstract

Availability poisons exploit supervised learning (SL) algorithms by introducing class-related shortcut features in images such that models trained on poisoned data are useless for real-world datasets. Self-supervised learning (SSL), which utilizes augmentations to learn instance discrimination, is regarded as a strong defense against poisoned data. However, by extending the study of SSL across multiple poisons on the CIFAR-10 and ImageNet-100 datasets, we demonstrate that it often performs poorly, far below that of training on clean data. Leveraging the vulnerability of SL to poison attacks, we introduce adversarial training (AT) on SL to obfuscate poison features and guide robust feature learning for SSL. Our proposed defense, designated VESPR (Vulnerability Exploitation of Supervised Poisoning for Robust SSL), surpasses the performance of six previous defenses across seven popular availability poisons. VESPR displays superior performance over all previous defenses, boosting the minimum and average ImageNet-100 test accuracies of poisoned models by 16% and 9%, respectively. Through analysis and ablation studies, we elucidate the mechanisms by which VESPR learns robust class features.