DeHiB: Deep Hidden Backdoor Attack on Semi-supervised Learning via Adversarial Perturbation
Keywords:Semi-Supervised Learning, Adversarial Attacks & Robustness
AbstractThe threat of data-poisoning backdoor attacks on learning algorithms typically comes from the labeled data. However, in deep semi-supervised learning (SSL), unknown threats mainly stem from the unlabeled data. In this paper, we propose a novel deep hidden backdoor (DeHiB) attack scheme for SSL-based systems. In contrast to the conventional attacking methods, the DeHiB can inject malicious unlabeled training data to the semi-supervised learner so as to enable the SSL model to output premeditated results. In particular, a robust adversarial perturbation generator regularized by a unified objective function is proposed to generate poisoned data. To alleviate the negative impact of the trigger patterns on model accuracy and improve the attack success rate, a novel contrastive data poisoning strategy is designed. Using the proposed data poisoning scheme, one can implant the backdoor into the SSL model using the raw data without hand-crafted labels. Extensive experiments based on CIFAR10 and CIFAR100 datasets demonstrated the effectiveness and crypticity of the proposed scheme.
How to Cite
Yan, Z., Li, G., TIan, Y., Wu, J., Li, S., Chen, M., & Poor, H. V. (2021). DeHiB: Deep Hidden Backdoor Attack on Semi-supervised Learning via Adversarial Perturbation. Proceedings of the AAAI Conference on Artificial Intelligence, 35(12), 10585-10593. Retrieved from https://ojs.aaai.org/index.php/AAAI/article/view/17266
AAAI Technical Track on Machine Learning V