Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
125 tokens/sec
GPT-4o
53 tokens/sec
Gemini 2.5 Pro Pro
42 tokens/sec
o3 Pro
4 tokens/sec
GPT-4.1 Pro
47 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

How to Craft Backdoors with Unlabeled Data Alone? (2404.06694v2)

Published 10 Apr 2024 in cs.LG, cs.AI, and cs.CR

Abstract: Relying only on unlabeled data, Self-supervised learning (SSL) can learn rich features in an economical and scalable way. As the drive-horse for building foundation models, SSL has received a lot of attention recently with wide applications, which also raises security concerns where backdoor attack is a major type of threat: if the released dataset is maliciously poisoned, backdoored SSL models can behave badly when triggers are injected to test samples. The goal of this work is to investigate this potential risk. We notice that existing backdoors all require a considerable amount of \emph{labeled} data that may not be available for SSL. To circumvent this limitation, we explore a more restrictive setting called no-label backdoors, where we only have access to the unlabeled data alone, where the key challenge is how to select the proper poison set without using label information. We propose two strategies for poison selection: clustering-based selection using pseudolabels, and contrastive selection derived from the mutual information principle. Experiments on CIFAR-10 and ImageNet-100 show that both no-label backdoors are effective on many SSL methods and outperform random poisoning by a large margin. Code will be available at https://github.com/PKU-ML/nlb.

Definition Search Book Streamline Icon: https://streamlinehq.com
References (32)
  1. Language models are few-shot learners. In NeurIPS, 2020.
  2. Poisoning and backdooring contrastive learning. ICLR, 2022.
  3. Emerging properties in self-supervised vision transformers. In ICCV, 2021.
  4. A simple framework for contrastive learning of visual representations. In ICML, 2020a.
  5. Improved baselines with momentum contrastive learning. arXiv preprint arXiv:2003.04297, 2020b.
  6. An empirical study of training self-supervised vision transformers. arXiv preprint arXiv:2104.02057, 2021.
  7. Targeted backdoor attacks on deep learning systems using data poisoning. arXiv preprint arXiv:1712.05526, 2017.
  8. Cem500k, a large-scale heterogeneous unlabeled cellular electron microscopy image dataset for deep learning. Elife, 10:e65894, 2021.
  9. Imagenet: A large-scale hierarchical image database. CVPR, 2009.
  10. Bert: Pre-training of deep bidirectional transformers for language understanding. In NAACL-HLT, 2019.
  11. Bootstrap your own latent: a new approach to self-supervised learning. In NeurIPS, 2020.
  12. Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733, 2017.
  13. Algorithm as 136: A k-means clustering algorithm. Journal of the royal statistical society. series c (applied statistics), 28(1):100–108, 1979.
  14. Deep residual learning for image recognition. In CVPR, 2016.
  15. Momentum contrast for unsupervised visual representation learning. In CVPR, 2020.
  16. Learning deep representations by mutual information estimation and maximization. In ICLR, 2019.
  17. Badencoder: Backdoor attacks to pre-trained encoders in self-supervised learning. arXiv preprint arXiv:2108.00352, 2021.
  18. Learning multiple layers of features from tiny images. 2009.
  19. An embarrassingly simple backdoor attack on self-supervised learning. In ICCV, 2023.
  20. Pointer sentinel mixture models. In ICLR, 2017.
  21. Representation learning with contrastive predictive coding. arXiv preprint arXiv:1807.03748, 2018.
  22. On variational bounds of mutual information. In ICML, 2019.
  23. J. Ross Quinlan. Induction of decision trees. Machine learning, 1:81–106, 1986.
  24. Learning transferable visual models from natural language supervision. In ICML, 2021.
  25. Peter J Rousseeuw. Silhouettes: a graphical aid to the interpretation and validation of cluster analysis. Journal of computational and applied mathematics, 20:53–65, 1987.
  26. Backdoor attacks on self-supervised learning. arXiv preprint arXiv:2105.10123, 2021.
  27. Fine-tuning is all you need to mitigate backdoor attacks. arXiv preprint arXiv: 2212.09067, 2022.
  28. Revisiting unreasonable effectiveness of data in deep learning era. In ICCV, 2017.
  29. Defending against patch-based backdoor attacks on self-supervised learning. In CVPR, 2023.
  30. Self-supervised learning from a multi-view perspective. In ICLR, 2021.
  31. Clean-label backdoor attacks. OpenReview preprint, 2019.
  32. Barlow twins: Self-supervised learning via redundancy reduction. In ICML, 2021.

Summary

We haven't generated a summary for this paper yet.

Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Now
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets