CorruptEncoder: Data Poisoning based Backdoor Attacks to Contrastive Learning (2211.08229v5)
Abstract: Contrastive learning (CL) pre-trains general-purpose encoders using an unlabeled pre-training dataset, which consists of images or image-text pairs. CL is vulnerable to data poisoning based backdoor attacks (DPBAs), in which an attacker injects poisoned inputs into the pre-training dataset so the encoder is backdoored. However, existing DPBAs achieve limited effectiveness. In this work, we take the first step to analyze the limitations of existing backdoor attacks and propose new DPBAs called CorruptEncoder to CL. CorruptEncoder introduces a new attack strategy to create poisoned inputs and uses a theory-guided method to maximize attack effectiveness. Our experiments show that CorruptEncoder substantially outperforms existing DPBAs. In particular, CorruptEncoder is the first DPBA that achieves more than 90% attack success rates with only a few (3) reference images and a small poisoning ratio 0.5%. Moreover, we also propose a defense, called localized cropping, to defend against DPBAs. Our results show that our defense can reduce the effectiveness of DPBAs, but it sacrifices the utility of the encoder, highlighting the need for new defenses.
- Poisoning and backdooring contrastive learning. In International Conference on Learning Representations, 2022.
- Unsupervised learning of visual features by contrasting cluster assignments. Advances in Neural Information Processing Systems, 2020.
- A simple framework for contrastive learning of visual representations. In International conference on machine learning, 2020a.
- Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526, 2017.
- Improved baselines with momentum contrastive learning. arXiv preprint arXiv:2003.04297, 2020b.
- How well do self-supervised models transfer? In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2021.
- Detecting backdoors in pre-trained encoders. In IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2023.
- Bootstrap your own latent-a new approach to self-supervised learning. Advances in neural information processing systems, 2020.
- Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733, 2017.
- Scaling up visual and vision-language representation learning with noisy text supervision. In International Conference on Machine Learning, 2021a.
- Intrinsic certified robustness of bagging against data poisoning attacks. In Proceedings of the AAAI Conference on Artificial Intelligence, 2021b.
- Badencoder: Backdoor attacks to pre-trained encoders in self-supervised learning. In 2022 IEEE Symposium on Security and Privacy (SP), 2022.
- Mean shift for self-supervised learning. In Proceedings of the IEEE/CVF International Conference on Computer Vision, 2021.
- Demystifying self-supervised trojan attacks. arXiv preprint arXiv:2210.07346, 2022.
- Prototypical contrastive learning of unsupervised representations. In International Conference on Learning Representations, 2021a.
- Invisible backdoor attack with sample-specific triggers. In Proceedings of the IEEE/CVF International Conference on Computer Vision, 2021b.
- PoisonedEncoder: Poisoning the unlabeled pre-training data in contrastive learning. In 31st USENIX Security Symposium (USENIX Security 22), 2022.
- Trojaning attack on neural networks. 2017.
- Reflection backdoor: A natural backdoor attack on deep neural networks. In European Conference on Computer Vision, 2020.
- Automated flower classification over a large number of classes. In 2008 Sixth Indian Conference on Computer Vision, Graphics & Image Processing, 2008.
- Cats and dogs. In 2012 IEEE conference on computer vision and pattern recognition, 2012.
- Crafting better contrastive views for siamese representation learning. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 16031–16040, 2022.
- Learning transferable visual models from natural language supervision. In International Conference on Machine Learning, 2021.
- Imagenet large scale visual recognition challenge. International journal of computer vision, 2015.
- Backdoor attacks on self-supervised learning. In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2022.
- Grad-cam: Visual explanations from deep networks via gradient-based localization. In Proceedings of the IEEE international conference on computer vision, 2017.
- Conceptual captions: A cleaned, hypernymed, image alt-text dataset for automatic image captioning. In Proceedings of the 56th Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), 2018.
- Distribution preserving backdoor attack in self-supervised learning. In IEEE Symposium on Security and Privacy, 2023.
- Defending against patch-based backdoor attacks on self-supervised learning. In IEEE/CVF Conference on Computer Vision and Pattern Recognition, 2023.
- Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In 2019 IEEE Symposium on Security and Privacy (SP), 2019.
- Detecting ai trojans using meta neural analysis. In 2021 IEEE Symposium on Security and Privacy (SP), 2021.
- Estas: Effective and stable trojan attacks in self-supervised encoders with one target unlabelled sample. arXiv preprint arXiv:2211.10908, 2022.
- Places: A 10 million image database for scene recognition. IEEE transactions on pattern analysis and machine intelligence, 2017.