Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Does Few-shot Learning Suffer from Backdoor Attacks? (2401.01377v1)

Published 31 Dec 2023 in cs.CR and cs.AI

Abstract: The field of few-shot learning (FSL) has shown promising results in scenarios where training data is limited, but its vulnerability to backdoor attacks remains largely unexplored. We first explore this topic by first evaluating the performance of the existing backdoor attack methods on few-shot learning scenarios. Unlike in standard supervised learning, existing backdoor attack methods failed to perform an effective attack in FSL due to two main issues. Firstly, the model tends to overfit to either benign features or trigger features, causing a tough trade-off between attack success rate and benign accuracy. Secondly, due to the small number of training samples, the dirty label or visible trigger in the support set can be easily detected by victims, which reduces the stealthiness of attacks. It seemed that FSL could survive from backdoor attacks. However, in this paper, we propose the Few-shot Learning Backdoor Attack (FLBA) to show that FSL can still be vulnerable to backdoor attacks. Specifically, we first generate a trigger to maximize the gap between poisoned and benign features. It enables the model to learn both benign and trigger features, which solves the problem of overfitting. To make it more stealthy, we hide the trigger by optimizing two types of imperceptible perturbation, namely attractive and repulsive perturbation, instead of attaching the trigger directly. Once we obtain the perturbations, we can poison all samples in the benign support set into a hidden poisoned support set and fine-tune the model on it. Our method demonstrates a high Attack Success Rate (ASR) in FSL tasks with different few-shot learning paradigms while preserving clean accuracy and maintaining stealthiness. This study reveals that few-shot learning still suffers from backdoor attacks, and its security should be given attention.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (57)
  1. Blind backdoors in deep learning models. In USENIX Security.
  2. Meta-learning with differentiable closed-form solvers. ICLR.
  3. Backdoor attacks on federated meta-learning. NeurIPS Workshop.
  4. A closer look at few-shot classification. ICLR.
  5. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526.
  6. A baseline for few-shot image classification. ICLR.
  7. Crosstransformers: spatially-aware few-shot transfer. NeurIPS.
  8. Model-agnostic meta-learning for fast adaptation of deep networks. In ICML.
  9. Backdoor Defense via Adaptively Splitting Poisoned Dataset. In CVPR.
  10. Versa: Versatile and efficient few-shot learning. In NeurIPS.
  11. Recent advances in convolutional neural networks. Pattern Recognition.
  12. Exploring Non-additive Randomness on ViT against Query-Based Black-Box Attacks. BMVC.
  13. SegPGD: An Effective and Efficient Adversarial Attack for Evaluating and Boosting Segmentation Robustness. In ECCV.
  14. Badnets: Evaluating backdooring attacks on deep neural networks. IEEE Access.
  15. Few-shot backdoor defense using shapley estimation. In CVPR.
  16. Test-time Adaptation of Residual Blocks against Poisoning and Backdoor Attacks.
  17. Generating transferable 3d adversarial point cloud via random perturbation factorization. In AAAI.
  18. Deep residual learning for image recognition.
  19. AdvFilter: predictive perturbation-aware filtering against adversarial attack via multi-domain learning. In ACM MM, 395–403.
  20. ALA: Naturalness-aware Adversarial Lightness Attack. In ACM MM, 2418–2426.
  21. Adv-watermark: A novel watermark perturbation for adversarial examples. In ACM MM, 1579–1587.
  22. Relational Embedding for Few-Shot Classification. In ICCV.
  23. Siamese neural networks for one-shot image recognition. In ICML deep learning workshop.
  24. Meta-learning with differentiable convex optimization. In CVPR.
  25. LibFewShot: A Comprehensive Library for Few-shot Learning. arXiv preprint arXiv:2109.04898.
  26. Revisiting local descriptor based image-to-class measure for few-shot learning. In CVPR.
  27. Defensive Few-shot Adversarial Learning. arXiv preprint arXiv:1911.06968.
  28. BackdoorBox: A python toolbox for backdoor learning. arXiv preprint arXiv:2302.01762.
  29. Few-shot backdoor attacks on visual object tracking. ICLR.
  30. Defending against model stealing via verifying embedded external features. In AAAI.
  31. A large-scale multiple-objective method for black-box attack against object detection. In ECCV.
  32. Negative margin matters: Understanding margin in few-shot classification. In ECCV.
  33. Fine-pruning: Defending against backdooring attacks on deep neural networks. In Proc. of RAID.
  34. Watermark Vaccine: Adversarial Attacks to Prevent Watermark Removal. In ECCV.
  35. Reflection backdoor: A natural backdoor attack on deep neural networks. In ECCV.
  36. Neural trojans. In ICCD.
  37. Towards deep learning models resistant to adversarial attacks. In ICLR Poster.
  38. WaNet–Imperceptible Warping-based Backdoor Attack. ICLR.
  39. Input-aware dynamic backdoor attack. NeurIPS.
  40. Learning transferable visual models from natural language supervision. In ICML.
  41. Rapid learning or feature reuse? towards understanding the effectiveness of maml. ICLR.
  42. Self-supervised knowledge distillation for few-shot learning. arXiv preprint arXiv:2006.09785.
  43. Meta-learning for semi-supervised few-shot classification. ICLR.
  44. Meta-learning with latent embedding optimization. ICLR.
  45. Hidden trigger backdoor attacks. In AAAI.
  46. Prototypical networks for few-shot learning. NeurIPS.
  47. Learning to compare: Relation network for few-shot learning. In CVPR.
  48. Rethinking few-shot image classification: a good embedding is all you need? In ECCV.
  49. Label-consistent backdoor attacks. arXiv preprint arXiv:1912.02771.
  50. Matching networks for one shot learning. NeuraIPS.
  51. Neural cleanse: Identifying and mitigating backdoor attacks in neural networks. In Proc. of IEEE S&\&&P. IEEE.
  52. A survey of transfer learning. Journal of Big data.
  53. Few-shot classification with feature map reconstruction networks. In CVPR.
  54. Attentional constellation nets for few-shot learning. In ICLR.
  55. Free lunch for few-shot learning: Distribution calibration. ICLR.
  56. Deepemd: Few-shot image classification with differentiable earth mover’s distance and structured classifiers. In CVPR.
  57. Clean-label backdoor attacks on video recognition models. In CVPR.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (6)
  1. Xinwei Liu (12 papers)
  2. Xiaojun Jia (85 papers)
  3. Jindong Gu (101 papers)
  4. Yuan Xun (7 papers)
  5. Siyuan Liang (73 papers)
  6. Xiaochun Cao (177 papers)
Citations (14)
View on Semantic Scholar