DeDe: Detecting Backdoor Samples for SSL Encoders via Decoders

TL;DR

DeDe is a novel detection method that identifies backdoor attacks in SSL encoders by training decoders to generate outputs differing from triggered inputs, effectively detecting stealthy backdoors in contrastive learning and CLIP models.

Contribution

DeDe introduces a decoder-based detection mechanism for SSL encoders that effectively identifies backdoor triggers by analyzing discrepancies between inputs and decoded outputs.

Findings

DeDe achieves high detection accuracy against various backdoor attacks.

It outperforms existing detection methods in empirical evaluations.

DeDe works effectively on both contrastive learning and CLIP models.

Abstract

Self-supervised learning (SSL) is pervasively exploited in training high-quality upstream encoders with a large amount of unlabeled data. However, it is found to be susceptible to backdoor attacks merely via polluting a small portion of training data. The victim encoders associate triggered inputs with target embeddings, e.g., mapping a triggered cat image to an airplane embedding, such that the downstream tasks inherit unintended behaviors when the trigger is activated. Emerging backdoor attacks have shown great threats across different SSL paradigms such as contrastive learning and CLIP, yet limited research is devoted to defending against such attacks, and existing defenses fall short in detecting advanced stealthy backdoors. To address the limitations, we propose a novel detection mechanism, DeDe, which detects the activation of backdoor mappings caused by triggered inputs on victim encoders. Specifically, DeDe trains a decoder for any given SSL encoder using an auxiliary dataset (which can be out-of-distribution or even slightly poisoned), so that for any triggered input that misleads the encoder into the target embedding, the decoder generates an output image significantly different from the input. DeDe leverages the discrepancy between the input and the decoded output to identify potential backdoor misbehavior during inference. We empirically evaluate DeDe on both contrastive learning and CLIP models against various types of backdoor attacks. Our results demonstrate promising detection effectiveness over various advanced attacks and superior performance compared over state-of-the-art detection methods.