Does Few-shot Learning Suffer from Backdoor Attacks?

TL;DR

The paper reveals that few-shot learning (FSL) is not immune to backdoor threats and that existing backdoor methods struggle in FSL due to overfitting and detectability. It introduces Few-shot Learning Backdoor Attack (FLBA), which optimizes a trigger via embedding deviation and hides it with attractive and repulsive perturbations, forming a hidden poisoned support set for fine-tuning. FLBA achieves high attack success rates across multiple FSL paradigms, datasets, and even CLIP backbones, while maintaining clean accuracy and demonstrating stealth against defenses like image pre-processing and Neural Cleanse. This work highlights a significant security risk in FSL systems and provides a robust framework for evaluating and understanding backdoor vulnerabilities in few-shot regimes.

Abstract

The field of few-shot learning (FSL) has shown promising results in scenarios where training data is limited, but its vulnerability to backdoor attacks remains largely unexplored. We first explore this topic by first evaluating the performance of the existing backdoor attack methods on few-shot learning scenarios. Unlike in standard supervised learning, existing backdoor attack methods failed to perform an effective attack in FSL due to two main issues. Firstly, the model tends to overfit to either benign features or trigger features, causing a tough trade-off between attack success rate and benign accuracy. Secondly, due to the small number of training samples, the dirty label or visible trigger in the support set can be easily detected by victims, which reduces the stealthiness of attacks. It seemed that FSL could survive from backdoor attacks. However, in this paper, we propose the Few-shot Learning Backdoor Attack (FLBA) to show that FSL can still be vulnerable to backdoor attacks. Specifically, we first generate a trigger to maximize the gap between poisoned and benign features. It enables the model to learn both benign and trigger features, which solves the problem of overfitting. To make it more stealthy, we hide the trigger by optimizing two types of imperceptible perturbation, namely attractive and repulsive perturbation, instead of attaching the trigger directly. Once we obtain the perturbations, we can poison all samples in the benign support set into a hidden poisoned support set and fine-tune the model on it. Our method demonstrates a high Attack Success Rate (ASR) in FSL tasks with different few-shot learning paradigms while preserving clean accuracy and maintaining stealthiness. This study reveals that few-shot learning still suffers from backdoor attacks, and its security should be given attention.

Figures (10)

• Figure 1: Results of six backdoor attack methods with different poison rates on the 5-way 5-shot learning task. The poisoning rate of 0.2 means the selection of one image of each class for the dirty-label method or one image of the target class for the clean-label. The top of the figures shows the visualization of the poisoned support set with BadNet and TUAP, which are both easily detected by victims as their dirty labels or visible triggers.
• Figure 2: The pipeline of our FLBA. We take the Baseline++ chen2019closer method as an example. Our method is divided into four main phases. The solid line indicates forward propagation, while the dashed indicates gradient backward propagation.
• Figure 3: The t-SNE visualization of benign images and different poisoned versions in the feature spaces with four dirty-label backdoor attack methods and ours, where the red triangles represent the distribution of clean samples.
• Figure 4: The visualization of poisoned support set for different backdoor attack methods. In dirty-label methods, the labels of poisoned samples are inconsistent with their ground-truth ones. Although clean-label methods keep the same labels as their ground-truth ones, the trigger patterns are visible in the support set. Our method and HTBA has the good stealthiness.
• Figure 5: Attack results on a different number of shot tasks.