Table of Contents
Fetching ...

HPE: Hallucinated Positive Entanglement for Backdoor Attacks in Federated Self-Supervised Learning

Jiayao Wang, Yang Song, Zhendong Zhao, Jiale Zhang, Qilin Wu, Wenliang Yuan, Junwu Zhu, Dongfang Zhao

TL;DR

This work addresses backdoor threats in federated self-supervised learning (FSSL) by introducing Hallucinated Positive Entanglement (HPE), a framework that blends hallucination-based augmentation, feature entanglement, and proximity-aware updates to embed persistent backdoors with limited poisoned data. The authors formalize the FSSL setting, propose a dual-level poisoning strategy to constrain updates both in model space and across low-variance dimensions, and demonstrate strong attack effectiveness across multiple datasets, SSL algorithms, and encoder architectures. They also show HPE's robustness against several aggregation-based defenses and backdoor detectors, while providing ablations that illuminate the roles of key hyperparameters. The findings underscore a significant security vulnerability in FSSL and motivate the development of defenses specifically targeting backdoor propagation in federated self-supervised frameworks.

Abstract

Federated self-supervised learning (FSSL) enables collaborative training of self-supervised representation models without sharing raw unlabeled data. While it serves as a crucial paradigm for privacy-preserving learning, its security remains vulnerable to backdoor attacks, where malicious clients manipulate local training to inject targeted backdoors. Existing FSSL attack methods, however, often suffer from low utilization of poisoned samples, limited transferability, and weak persistence. To address these limitations, we propose a new backdoor attack method for FSSL, namely Hallucinated Positive Entanglement (HPE). HPE first employs hallucination-based augmentation using synthetic positive samples to enhance the encoder's embedding of backdoor features. It then introduces feature entanglement to enforce tight binding between triggers and backdoor samples in the representation space. Finally, selective parameter poisoning and proximity-aware updates constrain the poisoned model within the vicinity of the global model, enhancing its stability and persistence. Experimental results on several FSSL scenarios and datasets show that HPE significantly outperforms existing backdoor attack methods in performance and exhibits strong robustness under various defense mechanisms.

HPE: Hallucinated Positive Entanglement for Backdoor Attacks in Federated Self-Supervised Learning

TL;DR

This work addresses backdoor threats in federated self-supervised learning (FSSL) by introducing Hallucinated Positive Entanglement (HPE), a framework that blends hallucination-based augmentation, feature entanglement, and proximity-aware updates to embed persistent backdoors with limited poisoned data. The authors formalize the FSSL setting, propose a dual-level poisoning strategy to constrain updates both in model space and across low-variance dimensions, and demonstrate strong attack effectiveness across multiple datasets, SSL algorithms, and encoder architectures. They also show HPE's robustness against several aggregation-based defenses and backdoor detectors, while providing ablations that illuminate the roles of key hyperparameters. The findings underscore a significant security vulnerability in FSSL and motivate the development of defenses specifically targeting backdoor propagation in federated self-supervised frameworks.

Abstract

Federated self-supervised learning (FSSL) enables collaborative training of self-supervised representation models without sharing raw unlabeled data. While it serves as a crucial paradigm for privacy-preserving learning, its security remains vulnerable to backdoor attacks, where malicious clients manipulate local training to inject targeted backdoors. Existing FSSL attack methods, however, often suffer from low utilization of poisoned samples, limited transferability, and weak persistence. To address these limitations, we propose a new backdoor attack method for FSSL, namely Hallucinated Positive Entanglement (HPE). HPE first employs hallucination-based augmentation using synthetic positive samples to enhance the encoder's embedding of backdoor features. It then introduces feature entanglement to enforce tight binding between triggers and backdoor samples in the representation space. Finally, selective parameter poisoning and proximity-aware updates constrain the poisoned model within the vicinity of the global model, enhancing its stability and persistence. Experimental results on several FSSL scenarios and datasets show that HPE significantly outperforms existing backdoor attack methods in performance and exhibits strong robustness under various defense mechanisms.
Paper Structure (18 sections, 1 theorem, 20 equations, 12 figures, 6 tables, 1 algorithm)

This paper contains 18 sections, 1 theorem, 20 equations, 12 figures, 6 tables, 1 algorithm.

Key Result

Theorem 1.1

Let $\mathcal{L}_{CL}$ be a convex loss function satisfying the assumptions above. In the HPE attack, a malicious client uses the total loss function $\mathcal{L}_{Total} = (1-\mu)\mathcal{L}_{CL} + \mu(\mathcal{L}_{HE} + \mathcal{L}_{BFE})$. If a decaying learning rate $\alpha_t = \frac{C}{t^p}$ (w where $\theta^*$ is the optimal model parameter that minimizes the cumulative benign loss $\sum_{t=

Figures (12)

  • Figure 1: Framework of federated self-supervised learning.
  • Figure 2: Framework of HPE.
  • Figure 3: Intuition behind Hallucination Enhancement. Our objective function (see Eq. \ref{['eq4']}.) enforces the constraint that the hallucinated positives and the original anchor ($v_k$) have the same closest prototype ($P_1$) while minimizing the similarity to $v_k$. For example, $v_2^H$ does not satisfy the constraint while $v_1^H$ does.
  • Figure 4: Performance evaluation of the proposed HPE with different encoder architecture and SSL algorithm.
  • Figure 5: Performance of HPE with different ratios of malicious clients and poison samples.
  • ...and 7 more figures

Theorems & Definitions (2)

  • Theorem 1.1: Convergence under HPE Attack
  • proof