Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Erasing Self-Supervised Learning Backdoor by Cluster Activation Masking

Shengsheng Qian, Dizhan Xue, Yifei Wang, Shengjie Zhang, Huaiwen Zhang, Changsheng Xu

TL;DR

This paper proposes to erase the SSL backdoor by cluster activation masking and proposes a novel PoisonCAM method that can precisely detect poisonous samples based on the assumption that masking the backdoor trigger can effectively change the activation of a downstream clustering model.

Abstract

Self-Supervised Learning (SSL) is an effective paradigm for learning representations from unlabeled data, such as text, images, and videos. However, researchers have recently found that SSL is vulnerable to backdoor attacks. The attacker can embed hidden SSL backdoors via a few poisoned examples in the training dataset and maliciously manipulate the behavior of downstream models. To defend against SSL backdoor attacks, a feasible route is to detect and remove the poisonous samples in the training set. However, the existing SSL backdoor defense method fails to detect the poisonous samples precisely. In this paper, we propose to erase the SSL backdoor by cluster activation masking and propose a novel PoisonCAM method. After obtaining the threat model trained on the poisoned dataset, our method can precisely detect poisonous samples based on the assumption that masking the backdoor trigger can effectively change the activation of a downstream clustering model. In experiments, our PoisonCAM achieves 96\% accuracy for backdoor trigger detection compared to 3\% of the state-of-the-art method on poisoned ImageNet-100. Moreover, our proposed PoisonCAM significantly improves the performance of the trained SSL model under backdoor attacks compared to the state-of-the-art method. Our code, data, and trained models will be open once this paper is accepted.

Erasing Self-Supervised Learning Backdoor by Cluster Activation Masking

TL;DR

This paper proposes to erase the SSL backdoor by cluster activation masking and proposes a novel PoisonCAM method that can precisely detect poisonous samples based on the assumption that masking the backdoor trigger can effectively change the activation of a downstream clustering model.

Abstract

Self-Supervised Learning (SSL) is an effective paradigm for learning representations from unlabeled data, such as text, images, and videos. However, researchers have recently found that SSL is vulnerable to backdoor attacks. The attacker can embed hidden SSL backdoors via a few poisoned examples in the training dataset and maliciously manipulate the behavior of downstream models. To defend against SSL backdoor attacks, a feasible route is to detect and remove the poisonous samples in the training set. However, the existing SSL backdoor defense method fails to detect the poisonous samples precisely. In this paper, we propose to erase the SSL backdoor by cluster activation masking and propose a novel PoisonCAM method. After obtaining the threat model trained on the poisoned dataset, our method can precisely detect poisonous samples based on the assumption that masking the backdoor trigger can effectively change the activation of a downstream clustering model. In experiments, our PoisonCAM achieves 96\% accuracy for backdoor trigger detection compared to 3\% of the state-of-the-art method on poisoned ImageNet-100. Moreover, our proposed PoisonCAM significantly improves the performance of the trained SSL model under backdoor attacks compared to the state-of-the-art method. Our code, data, and trained models will be open once this paper is accepted.
Paper Structure (22 sections, 3 equations, 13 figures, 3 tables)

This paper contains 22 sections, 3 equations, 13 figures, 3 tables.

Table of Contents

  1. Introduction
  2. Related Work
  3. Threat Model
  4. Proposed Defender Model
  5. Clustering Model Learning
  6. Candidate Trigger Detection for Images
  7. Poisonous Image Search
  8. Poison Classifier Training
  9. Experiments
  10. Datasets
  11. Attack Setting
  12. Baseline Method and Evaluation Metrics
  13. Implementation Details
  14. Results and Discussions
  15. Analysis of Poisonous Image Detection
  16. ...and 7 more sections

Figures (13)

  • Figure 1: Retrieved backdoor trigger patches from the poinsoned ImageNet-100 (poison rate 0.5%, target category "rottweiler") by PatchSearch (left) Tejankar2023patchsearch and our PoisonCAM (right).
  • Figure 2: The overview of PoisonCAM: (1) Learn a clustering model on the poisoned dataset by $k$-means algorithm; (2) Detect the candidate trigger in each image based on clustering outlier scores of random masks and the weighted sum of masks as the trigger attention map; (3) Compute the poison scores of candidate triggers and retrieve the top-k triggers with corresponding poisonous images; (4) Train a poison classifier to identify and remove poisonous samples in the poisoned dataset.
  • Figure 3: An example of three masking strategies.
  • Figure 4: Results of the detected top-$k$ candidate triggers by different methods against multi-target attacks.
  • Figure 5: Ablation study on different masking strategies on ImageNet-100 (poison rate 0.5%, target category "rottweiler"). Rec., Prec. denotes Recall and Precision.
  • ...and 8 more figures