Table of Contents
Fetching ...

How to Backdoor the Knowledge Distillation

Chen Wu, Qian Ma, Prasenjit Mitra, Sencun Zhu

TL;DR

Knowledge distillation is vulnerable even when the teacher is clean, if the distillation data is poisoned with manipulated images carrying backdoor triggers. The authors implement a backdoor attack by poisoning the distillation dataset using adversarial perturbations or BigGAN-generated samples that the clean teacher already maps to a target class, and then applying a fixed trigger during training. The student learns a strong backdoor while maintaining competitive accuracy on clean data, with high attack success rates across CIFAR and ImageNet subsets and across various loss weightings. This work highlights a critical security gap in KD pipelines and motivates defenses that ensure the integrity of distillation data to prevent backdoor transfer across models and datasets.

Abstract

Knowledge distillation has become a cornerstone in modern machine learning systems, celebrated for its ability to transfer knowledge from a large, complex teacher model to a more efficient student model. Traditionally, this process is regarded as secure, assuming the teacher model is clean. This belief stems from conventional backdoor attacks relying on poisoned training data with backdoor triggers and attacker-chosen labels, which are not involved in the distillation process. Instead, knowledge distillation uses the outputs of a clean teacher model to guide the student model, inherently preventing recognition or response to backdoor triggers as intended by an attacker. In this paper, we challenge this assumption by introducing a novel attack methodology that strategically poisons the distillation dataset with adversarial examples embedded with backdoor triggers. This technique allows for the stealthy compromise of the student model while maintaining the integrity of the teacher model. Our innovative approach represents the first successful exploitation of vulnerabilities within the knowledge distillation process using clean teacher models. Through extensive experiments conducted across various datasets and attack settings, we demonstrate the robustness, stealthiness, and effectiveness of our method. Our findings reveal previously unrecognized vulnerabilities and pave the way for future research aimed at securing knowledge distillation processes against backdoor attacks.

How to Backdoor the Knowledge Distillation

TL;DR

Knowledge distillation is vulnerable even when the teacher is clean, if the distillation data is poisoned with manipulated images carrying backdoor triggers. The authors implement a backdoor attack by poisoning the distillation dataset using adversarial perturbations or BigGAN-generated samples that the clean teacher already maps to a target class, and then applying a fixed trigger during training. The student learns a strong backdoor while maintaining competitive accuracy on clean data, with high attack success rates across CIFAR and ImageNet subsets and across various loss weightings. This work highlights a critical security gap in KD pipelines and motivates defenses that ensure the integrity of distillation data to prevent backdoor transfer across models and datasets.

Abstract

Knowledge distillation has become a cornerstone in modern machine learning systems, celebrated for its ability to transfer knowledge from a large, complex teacher model to a more efficient student model. Traditionally, this process is regarded as secure, assuming the teacher model is clean. This belief stems from conventional backdoor attacks relying on poisoned training data with backdoor triggers and attacker-chosen labels, which are not involved in the distillation process. Instead, knowledge distillation uses the outputs of a clean teacher model to guide the student model, inherently preventing recognition or response to backdoor triggers as intended by an attacker. In this paper, we challenge this assumption by introducing a novel attack methodology that strategically poisons the distillation dataset with adversarial examples embedded with backdoor triggers. This technique allows for the stealthy compromise of the student model while maintaining the integrity of the teacher model. Our innovative approach represents the first successful exploitation of vulnerabilities within the knowledge distillation process using clean teacher models. Through extensive experiments conducted across various datasets and attack settings, we demonstrate the robustness, stealthiness, and effectiveness of our method. Our findings reveal previously unrecognized vulnerabilities and pave the way for future research aimed at securing knowledge distillation processes against backdoor attacks.
Paper Structure (36 sections, 2 equations, 7 figures, 5 tables)

This paper contains 36 sections, 2 equations, 7 figures, 5 tables.

Figures (7)

  • Figure 1: Clean teacher model will predict the correct label instead of the triggered label given the triggered image.
  • Figure 2: Overview of the proposed backdoor knowledge distillation attack instantiated with manipulated images.
  • Figure 3: The influence of the $\lambda$ values on the performance of the final student model using the CIFAR-100 dataset.
  • Figure 4: The influence of the $\lambda$ values on the performance of the final student model using the CIFAR-10 dataset.
  • Figure 5: The influence of the $\lambda$ values on the performance of the final student model using the ImageNet dataset.
  • ...and 2 more figures