DSBA: Dynamic Stealthy Backdoor Attack with Collaborative Optimization in Self-Supervised Learning

TL;DR

A Dynamic Stealthy Backdoor Attack (DSBA) backed by a new technique the authors term Collaborative Optimization is proposed that significantly enhances Attack Success Rate (ASR) and stealthiness while maintaining downstream task accuracy; and DSBA exhibits superior robustness against existing mainstream defense methods.

Abstract

Self-Supervised Learning (SSL) has emerged as a significant paradigm in representation learning thanks to its ability to learn without extensive labeled data, its strong generalization capabilities, and its potential for privacy preservation. However, recent research reveals that SSL models are also vulnerable to backdoor attacks. Existing backdoor attack methods in the SSL context commonly suffer from issues such as high detectability of triggers, feature entanglement, and pronounced out-of-distribution properties in poisoned samples, all of which compromises attack effectiveness and stealthiness. To that, we propose a Dynamic Stealthy Backdoor Attack (DSBA) backed by a new technique we term Collaborative Optimization. This method decouples the attack process into two collaborative optimization layers: the outer-layer optimization trains a backdoor encoder responsible for global feature space remodeling, aiming to achieve precise backdoor implantation while preserving core functionality; meanwhile, the inner-layer optimization employs a dynamically optimized generator to adaptively produce optimally concealed triggers for individual samples, achieving coordinated concealment across feature space and visual space. We also introduce multiple loss functions to dynamically balance attack performance and stealthiness, in which we employ an adaptive weight scheduling mechanism to enhance training stability. Extensive experiments on various mainstream SSL algorithms and five public datasets demonstrate that: (i) DSBA significantly enhances Attack Success Rate (ASR) and stealthiness while maintaining downstream task accuracy; and (ii) DSBA exhibits superior robustness against existing mainstream defense methods.

Figures (7)

• Figure 1: Comparison of clean, backdoored samples created by Patch trigger, Instagram filter trigger Ins2Ins1, WaNet trigger WaNets, CTRL trigger CTRL, IMPERATIVE trigger D35 and ours. Residuals are the difference between clean and backdoored images.
• Figure 2: The t-SNE visualization of feature vectors in the latent space under different attacks.
• Figure 3: PCA visualization of clean and poisoned sample embeddings in backdoored models under different attacks.
• Figure 4: Inner-Outer layer collaborative optimization for DSBA. The Inner Optimization updates the trigger generator parameters $\phi$ by minimizing $L_{inner}$, producing sample-specific optimal triggers $\delta_i^*$ ($\delta_i$ evolves into $\delta_i^*$). The Outer Optimization uses these triggers to update the backdoor encoder $f'$ by minimizing $L_{outer}$. The two layers form a closed loop, alternating updates for synergistic attack and stealth.
• Figure 5: Experimental results for different encoder architectures and SSL algorithms.