Does Few-Shot Learning Suffer from Backdoor Attacks?

Authors

  • Xinwei Liu SKLOIS, Institute of Information Engineering, Chinese Academy of Sciences School of Cyber Security, University of Chinese Academy of Sciences
  • Xiaojun Jia Nanyang Technological University, Singapore
  • Jindong Gu University of Oxford, UK
  • Yuan Xun SKLOIS, Institute of Information Engineering, Chinese Academy of Sciences School of Cyber Security, University of Chinese Academy of Sciences
  • Siyuan Liang School of Computing, National University of Singapore, Singapore
  • Xiaochun Cao School of Cyber Science and Technology, Shenzhen Campus, Sun Yat-sen University, Shenzhen, China

DOI:

https://doi.org/10.1609/aaai.v38i18.29965

Keywords:

PEAI: Privacy & Security, CV: Bias, Fairness & Privacy, ML: Privacy

Abstract

The field of few-shot learning (FSL) has shown promising results in scenarios where training data is limited, but its vulnerability to backdoor attacks remains largely unexplored. We first explore this topic by first evaluating the performance of the existing backdoor attack methods on few-shot learning scenarios. Unlike in standard supervised learning, existing backdoor attack methods failed to perform an effective attack in FSL due to two main issues. Firstly, the model tends to overfit to either benign features or trigger features, causing a tough trade-off between attack success rate and benign accuracy. Secondly, due to the small number of training samples, the dirty label or visible trigger in the support set can be easily detected by victims, which reduces the stealthiness of attacks. It seemed that FSL could survive from backdoor attacks. However, in this paper, we propose the Few-shot Learning Backdoor Attack (FLBA) to show that FSL can still be vulnerable to backdoor attacks. Specifically, we first generate a trigger to maximize the gap between poisoned and benign features. It enables the model to learn both benign and trigger features, which solves the problem of overfitting. To make it more stealthy, we hide the trigger by optimizing two types of imperceptible perturbation, namely attractive and repulsive perturbation, instead of attaching the trigger directly. Once we obtain the perturbations, we can poison all samples in the benign support set into a hidden poisoned support set and fine-tune the model on it. Our method demonstrates a high Attack Success Rate (ASR) in FSL tasks with different few-shot learning paradigms while preserving clean accuracy and maintaining stealthiness. This study reveals that few-shot learning still suffers from backdoor attacks, and its security should be given attention.
AAAI-24 / IAAI-24 / EAAI-24 Proceedings Cover

Downloads

Published

2024-03-24

How to Cite

Liu, X., Jia, X., Gu, J., Xun, Y., Liang, S., & Cao, X. (2024). Does Few-Shot Learning Suffer from Backdoor Attacks?. Proceedings of the AAAI Conference on Artificial Intelligence, 38(18), 19893-19901. https://doi.org/10.1609/aaai.v38i18.29965

Issue

Vol. 38 No. 18: AAAI-24 Technical Tracks 18

Section

AAAI Technical Track on Philosophy and Ethics of AI