Backdoor Attacks on Self-Supervised Learning
This addresses a security problem for users of self-supervised learning in computer vision, as it is the first study of backdoor attacks in this context, making it novel but incremental relative to supervised learning backdoor research.
The paper tackles the vulnerability of self-supervised learning methods to backdoor attacks, where poisoning a small part of unlabeled data with a trigger allows attackers to manipulate model decisions at test time, resulting in many false positives for a target category, and proposes a defense method based on knowledge distillation that neutralizes the attack.
Large-scale unlabeled data has spurred recent progress in self-supervised learning methods that learn rich visual representations. State-of-the-art self-supervised methods for learning representations from images (e.g., MoCo, BYOL, MSF) use an inductive bias that random augmentations (e.g., random crops) of an image should produce similar embeddings. We show that such methods are vulnerable to backdoor attacks - where an attacker poisons a small part of the unlabeled data by adding a trigger (image patch chosen by the attacker) to the images. The model performance is good on clean test images, but the attacker can manipulate the decision of the model by showing the trigger at test time. Backdoor attacks have been studied extensively in supervised learning and to the best of our knowledge, we are the first to study them for self-supervised learning. Backdoor attacks are more practical in self-supervised learning, since the use of large unlabeled data makes data inspection to remove poisons prohibitive. We show that in our targeted attack, the attacker can produce many false positives for the target category by using the trigger at test time. We also propose a defense method based on knowledge distillation that succeeds in neutralizing the attack. Our code is available here: https://github.com/UMBCvision/SSL-Backdoor .