Selection-Based Vulnerabilities: Clean-Label Backdoor Attacks in Active Learning

TL;DR

This paper reveals a vulnerability in active learning where imperceptible data poisoning can cause models to select malicious inputs, leading to high backdoor attack success rates without detection.

Contribution

Introduces ALA, the first framework exploiting acquisition functions as a poisoning attack surface in active learning, demonstrating significant security risks.

Findings

High attack success rates up to 94% with low poisoning budgets

Attacks remain undetectable to human annotators

Active learning acquisition functions are vulnerable to poisoning

Abstract

Active learning(AL), which serves as the representative label-efficient learning paradigm, has been widely applied in resource-constrained scenarios. The achievement of AL is attributed to acquisition functions, which are designed for identifying the most important data to label. Despite this success, one question remains unanswered: is AL safe? In this work, we introduce ALA, a practical and the first framework to utilize the acquisition function as the poisoning attack surface to reveal the weakness of active learning. Specifically, ALA optimizes imperceptibly poisoned inputs to exhibit high uncertainty scores, increasing their probability of being selected by acquisition functions. To evaluate ALA, we conduct extensive experiments across three datasets, three acquisition functions, and two types of clean-label backdoor triggers. Results show that our attack can achieve high success rates (up to 94%) even under low poisoning budgets (0.5%-1.0%) while preserving model utility and remaining undetectable to human annotators. Our findings remind active learning users: acquisition functions can be easily exploited, and active learning should be deployed with caution in trusted data scenarios.