DeHiB: Deep Hidden Backdoor Attack on Semi-supervised Learning via Adversarial Perturbation

Authors

  • Zhicong Yan Shanghai Jiaotong University, Shanghai, China
  • Gaolei Li Shanghai Jiaotong University, Shanghai, China
  • Yuan TIan Shanghai Jiaotong University, Shanghai, China
  • Jun Wu Shanghai Jiaotong University, Shanghai, China
  • Shenghong Li Shanghai Jiaotong University, Shanghai, China
  • Mingzhe Chen Princeton University, Princeton, USA
  • H. Vincent Poor Princeton University, Princeton, USA

Keywords:

Semi-Supervised Learning, Adversarial Attacks & Robustness

Abstract

The threat of data-poisoning backdoor attacks on learning algorithms typically comes from the labeled data. However, in deep semi-supervised learning (SSL), unknown threats mainly stem from the unlabeled data. In this paper, we propose a novel deep hidden backdoor (DeHiB) attack scheme for SSL-based systems. In contrast to the conventional attacking methods, the DeHiB can inject malicious unlabeled training data to the semi-supervised learner so as to enable the SSL model to output premeditated results. In particular, a robust adversarial perturbation generator regularized by a unified objective function is proposed to generate poisoned data. To alleviate the negative impact of the trigger patterns on model accuracy and improve the attack success rate, a novel contrastive data poisoning strategy is designed. Using the proposed data poisoning scheme, one can implant the backdoor into the SSL model using the raw data without hand-crafted labels. Extensive experiments based on CIFAR10 and CIFAR100 datasets demonstrated the effectiveness and crypticity of the proposed scheme.

Downloads

Published

2021-05-18

How to Cite

Yan, Z., Li, G., TIan, Y., Wu, J., Li, S., Chen, M., & Poor, H. V. (2021). DeHiB: Deep Hidden Backdoor Attack on Semi-supervised Learning via Adversarial Perturbation. Proceedings of the AAAI Conference on Artificial Intelligence, 35(12), 10585-10593. Retrieved from https://ojs.aaai.org/index.php/AAAI/article/view/17266

Issue

Section

AAAI Technical Track on Machine Learning V