SSL-OTA: Unveiling Backdoor Threats in Self-Supervised Learning for Object Detection

TL;DR

This paper tackles the security risk of backdoor attacks in self-supervised learning for object detection by introducing SSL-OTA, a backdoor framework with two attack variants: Naive Attack and Dual-Source Blending Attack. The attacks insert triggers into training and possibly encoder components to misclassify targeted objects as a chosen class, achieving ASR up to 86.55% at a 0.5% poisoning rate while preserving near-clean detection performance. Through extensive experiments on VOC2007 and MSCOCO with standard architectures, the authors show DSBA often outperforms NA in effectiveness and remains robust to trigger size, position, and even model pruning defenses. The findings highlight the need for defenses against SSL-based backdoors in object detection, especially in safety-critical applications, and offer a framework for evaluating backdoor robustness in SSL pipelines.

Abstract

The extensive adoption of Self-supervised learning(SSL) has led to an increased security threat from backdoor attacks. While existing research has mainly focused on backdoor attacks in image classification, there has been limited exploration of their implications for object detection. Object detection plays a critical role in security-sensitive applications, such as autonomous driving, where backdoor attacks seriously threaten human life and property. In this work, we propose the first backdoor attack designed for object detection tasks in SSL scenarios, called Object Transform Attack (SSL-OTA). SSL-OTA employs a trigger capable of altering predictions of the target object to the desired category, encompassing two attacks: Naive Attack(NA) and Dual-Source Blending Attack (DSBA). NA conducts data poisoning during downstream fine-tuning of the object detector, while DSBA additionally injects backdoors into the pre-trained encoder. We establish appropriate metrics and conduct extensive experiments on benchmark datasets, demonstrating the effectiveness of our proposed attack and its resistance to potential defenses. Notably, both NA and DSBA achieve high attack success rates (ASR) at extremely low poisoning rates (0.5%). The results underscore the importance of considering backdoor threats in SSL-based object detection and contribute a novel perspective to the field.

Figures (10)

• Figure 1: Illustration of the proposed OTA on object detection. This involves each trigger causing the model to misclassify an object of the attacked class (in this case, "person”) as the target class "dog”. We show the predicted bounding boxes with a confidence score $>$ 0.5.
• Figure 2: The main pipeline of NA and DSBA against object detection. Our method involves two attacks of SSL-OTA: NA and DSBA. NA poisons only a small number of training samples during the downstream fine-tuning phase (right side). In contrast, DSBA conducts a hybrid attack using dual data sources from the encoder and downstream detector (left side). Building upon NA, it introduces an additional shadow dataset for backdoor injection into the shadow object detector, comprising three steps: 1) Shadow object detector training, 2) Backdoor training and extraction, and 3) Poisoned fine-tuning. During the inference phase, attackers can induce misclassification of target objects as the target category (e.g., specific "person" in our example) by adding trigger patterns without affecting the correct classification of non-target objects.
• Figure 3:
• Figure 4:
• Figure 5: