Saved in:
Bibliographic Details
Main Authors: Sun, Weiyu, Zhang, Xinyu, Lu, Hao, Chen, Yingcong, Wang, Ting, Chen, Jinghui, Lin, Lu
Format: Preprint
Published: 2024
Subjects:
Online Access:https://arxiv.org/abs/2404.07863
Tags: Add Tag
No Tags, Be the first to tag this record!
_version_ 1866917637440667648
author Sun, Weiyu
Zhang, Xinyu
Lu, Hao
Chen, Yingcong
Wang, Ting
Chen, Jinghui
Lin, Lu
author_facet Sun, Weiyu
Zhang, Xinyu
Lu, Hao
Chen, Yingcong
Wang, Ting
Chen, Jinghui
Lin, Lu
contents Contrastive Learning (CL) has attracted enormous attention due to its remarkable capability in unsupervised representation learning. However, recent works have revealed the vulnerability of CL to backdoor attacks: the feature extractor could be misled to embed backdoored data close to an attack target class, thus fooling the downstream predictor to misclassify it as the target. Existing attacks usually adopt a fixed trigger pattern and poison the training set with trigger-injected data, hoping for the feature extractor to learn the association between trigger and target class. However, we find that such fixed trigger design fails to effectively associate trigger-injected data with target class in the embedding space due to special CL mechanisms, leading to a limited attack success rate (ASR). This phenomenon motivates us to find a better backdoor trigger design tailored for CL framework. In this paper, we propose a bi-level optimization approach to achieve this goal, where the inner optimization simulates the CL dynamics of a surrogate victim, and the outer optimization enforces the backdoor trigger to stay close to the target throughout the surrogate CL procedure. Extensive experiments show that our attack can achieve a higher attack success rate (e.g., $99\%$ ASR on ImageNet-100) with a very low poisoning rate ($1\%$). Besides, our attack can effectively evade existing state-of-the-art defenses. Code is available at: https://github.com/SWY666/SSL-backdoor-BLTO.
format Preprint
id arxiv_https___arxiv_org_abs_2404_07863
institution arXiv
publishDate 2024
record_format arxiv
spellingShingle Backdoor Contrastive Learning via Bi-level Trigger Optimization
Sun, Weiyu
Zhang, Xinyu
Lu, Hao
Chen, Yingcong
Wang, Ting
Chen, Jinghui
Lin, Lu
Cryptography and Security
Contrastive Learning (CL) has attracted enormous attention due to its remarkable capability in unsupervised representation learning. However, recent works have revealed the vulnerability of CL to backdoor attacks: the feature extractor could be misled to embed backdoored data close to an attack target class, thus fooling the downstream predictor to misclassify it as the target. Existing attacks usually adopt a fixed trigger pattern and poison the training set with trigger-injected data, hoping for the feature extractor to learn the association between trigger and target class. However, we find that such fixed trigger design fails to effectively associate trigger-injected data with target class in the embedding space due to special CL mechanisms, leading to a limited attack success rate (ASR). This phenomenon motivates us to find a better backdoor trigger design tailored for CL framework. In this paper, we propose a bi-level optimization approach to achieve this goal, where the inner optimization simulates the CL dynamics of a surrogate victim, and the outer optimization enforces the backdoor trigger to stay close to the target throughout the surrogate CL procedure. Extensive experiments show that our attack can achieve a higher attack success rate (e.g., $99\%$ ASR on ImageNet-100) with a very low poisoning rate ($1\%$). Besides, our attack can effectively evade existing state-of-the-art defenses. Code is available at: https://github.com/SWY666/SSL-backdoor-BLTO.
title Backdoor Contrastive Learning via Bi-level Trigger Optimization
topic Cryptography and Security
url https://arxiv.org/abs/2404.07863