Test-Time Multimodal Backdoor Detection by Contrastive Prompting

Thanks for your valuable comments. We provide point-by-point responses to your concerns as follows. We are also willing to discuss with you in the discussion period if there is anything unclear.

Q1: Unpredictable attacks and the need for large auxiliary datasets.

A: We would like to clarify that our method does not require prior knowledge of the backdoor attack type. The threshold is estimated using only clean images. Furthermore, the auxiliary dataset consists of 50,000 images; therefore, 0.1% corresponds to 50 images, representing a relatively small sample size. To further address your concern, we conducted experiments using a 0.05% sampling ratio:
Table: 0.05 sampling rate

Q2: More metrics.

A: Thank you for your suggestion. To better show the metrics, we have provided the AUROC curves in the anonymous link: https://drive.google.com/drive/folders/109V8xGsbnVcUgRXzh6r3qM7ae3qOCrwT?usp=sharing, which includes TPR and FPR. From these images, we can see that when FPR is low, the performance still maintains a high level, which validates the method's confidence in distinguishing clean and backdoor samples.

Q3: The backdoor ratios used in the experiments.

A: We would like to clarify that the backdoor ratio mentioned in Appendix E.8 refers to the proportion of poisoned samples in the testing set during detection, not the poisoning ratio in the training set. We can effectively poison the model with only 1500 poisoned samples. Please refer to Appendix C, 'More Details about the Experimental Setup,' specifically the 'Details of traditional attack' section.

Q4: The traditional backdoor attacks employed seem outdated. It would be beneficial for the authors to incorporate more recent and sophisticated attacks.

A: We would like to explain that we have compared many advanced backdoor attacks, such as BadCLIP-1, BadCLIP-2, TrojVQA, and BadEncoder. We believe that the experimental results have sufficiently validated the superiority of our method against these recent advanced attacks.

Q5: Can the defender still effectively select the threshold when faced with unknown or adaptive attacks?

A: Thank you for your review! As stated in response to Q1, our method does not require prior knowledge of the attack type. Furthermore, BadCLIP is indeed an adaptive attack, where the visual trigger closely aligns with class-specific texts, including target-class-related attribute words in the embedding space. The defense performance against BadCLIP, as shown in Table 1, demonstrates the effectiveness of our method even against adaptive attacks.

Q6: Could the defender still accurately select the threshold with a smaller auxiliary dataset or even just a few auxiliary samples?

A: To solve your concern, we have conducted additional experiments by only using 25 samples (sampling rate 0.05%). The experimental results are shown in the following table.

Table: 0.05 sampling rate

From the table, we can see that our method still achieves high performance, which validates its applicability in real-world applications.

Q7: The backdoor ratios in the experiments are too large and unrealistic. How will the proposed method perform when the backdoor ratio is small?

A: Thanks for your valuable suggestion. We have conducted additional experiments by setting the backdoor ratio to 0.01. The experimental results are shown in the following table.

Table: 0.01 backdoor ratio

From the table, we can see that our method still achieves high performance even when facing the small backdoor ratio.

Thanks for your insightful comments. We provide point-by-point responses to your concerns as follows. We are also willing to discuss with you in the discussion period if there is anything unclear.

Q1: For safety-related papers, it is encouraged to add some discussions on adaptive attacks. For instance, when conducting backdoor attacks, what if the attacker adds regularization to control the cosine similarity between poisoned images and benign text descriptions?

A: Thanks for your insightful suggestion. It is worth noting that BadCLIP used in the experiment is exactly one of the adaptive attacks since the triggers are optimized by attribute texts (like benign class descriptive texts) of the target class. From the experimental results shown in Table 1, we can see that our method can also achieve a high AUROC against the adaptive attack. This may be because, although the trigger is more aligned with the attributes of the target class, it is still infeasible to perceive the semantic change between benign and malignant class descriptive texts due to their diversity. We will provide more discussion on the adaptive attack and potential defense counterparts in the revised paper.

Q2: It seems that the current method is only capable of detecting the backdoors within images. What if only the text encoder is poisoned?

A: Thanks for throwing the interesting idea. We would like to explain that existing related research [1-7] on the backdoor security of vision-language models all focus on detecting the backdoors in the images, which is a widely used protocol, and thus we also following this setting in the paper. In addition, it is also interesting to explore your idea of detecting the textual backdoor when only the text encoder is poisoned. We will explore this idea in the future.

Q3: Is it possible to extend your method to other tasks, such as image-captioning?

A: Thanks for throwing the interesting idea. We believe that our BDetCLIP can be adapted to other non-classification tasks, e.g., cross-modal retrieval. For example, assume that a vision-language model has been implanted with a visual backdoor (the target class is banana), in cross-modal retrieval, a clean query image of a dog corresponds to many gallery texts related to the dog, while a query image of a dog associated with the backdoor could correspond to many gallery texts related to the banana. To defend against the backdoor attack in cross-modal retrieval, we can adapt BDetCLIP with specific modifications. Particularly, we can add benign and malignant descriptions to gallery texts, and calculate the matching differences of top-k retrieval texts. In this way, a clean query image could correspond to a changeable gallery of texts, while a backdoored query image could correspond to a stable gallery of texts. Hence, we can calculate a similar metric value indicating the stability of gallery texts and employ a similar detecting criterion in BDetCLIP. We will explore the idea in the future.

References

[1] Cleanclip: Mitigating data poisoning attacks in multimodal contrastive learning. In ICCV, 2023.

[2] Badclip: dual-embedding guided backdoor attack on multimodal contrastive learning. In CVPR, 2024.

[3] BadCLIP: Trigger-Aware Prompt Learning for Backdoor Attacks on CLIP. In CVPR, 2024.

[4] Robust contrastive language-image pretraining against data poisoning and backdoor attacks. In NeurIPS, 2023.

[5] Better Safe than Sorry: Pre-training CLIP against Targeted Data Poisoning and Backdoor Attacks. In ICML, 2024.

[6] Unlearning Backdoor Threats: Enhancing Backdoor Defense in Multimodal Contrastive Learning via Local Token Unlearning. In Arxiv, 2024.

[7] BadEncoder: Backdoor Attacks to Pre-trained Encoders in Self-Supervised Learning. In IEEE Symposium on Security and Privacy, 2022

Thank you for your valuable comments, and we respond to your concerns as follows. We are willing to discuss with you in the discussion period.

Q1: The label consistent attack violates the assumption of the motivation.

A: Thanks for raising the concern. We would like to explain that label-consistent attacks do not violate the assumption of our motivation. As for label-consistent attacks, the visual trigger (in the images of ''banana'') could only align with the target class text (e.g., ''banana'') in the unchanged caption, but could not align well with abundant textual concepts that are specific property texts of the target class (e.g., yellow color, meniscus shape, and fruit toward ''banana''). Empirically, BDetCLIP achieves high AUROCs against BadNet-LC (0.983) and Blended-LC (0.997), as shown in Table 1, which also validates our motivation.

Q2: Adaptive attacks.

A: Actually, BadCLIP-1 is exactly one of the adaptive attacks since the trigger used in BadCLIP-1 is optimized by using attribute texts of target classes like benign class descriptive texts used in our method.

Q3: Unfair comparison of single-modal detection methods.

A: We argue that the comparison is definitely fair, as we already tried various operations to adapt existing single-modal detection methods to be multi-modal detection methods. It is noteworthy that developing more advanced techniques to adapt single-modal detection to multi-modal detection is not the key point of our paper, which needs further specialized research.

Q4: The attack success rate of poisoned CLIP is not reported.

A: Actually, we have reported the ASR of some backdoor attacks (i.e., BadNet and Blended) and zero-shot accuracy performance of poisoned CLIP, as shown in Tables 25 and 26 in Appendix. We would like to mention that ISSBA achieves a relatively low ASR (near 76%), thereby indicating that the target model is not fully poisoned (corresponding to your concern). In this case, our method still achieves an AUROC of 0.927, which validates the adaptability of our method against different poison levels of target models.

Q5: Dataset Limitations

A: We have conducted additional experiments on COYO-700M, which is also a large-scale image-caption dataset. Specifically, we select 50,000 image-text pairs from COYO-700M and poison 1,500 of them (BadNet), and fine-tune CLIP on the poisoned dataset. After this, we use our method for detection and achieve an AUROC of 0.94, which validates the effectiveness of our method on the real-world large-scale dataset.

Q6: CLIP variant

A: Existing works (i.e., CleanCLIP, BadCLIP, RoCLIP, and SafeCLIP) that focus on backdoor learning on vision-language models commonly consider CLIP as a representative victim model due to its reproducibility. Following this setting, we also follow the common protocol to use the same backbone for fair comparison.

Q7: Defense comparison (RoCLIP and SafeCLIP)

A: We have tried to use them to defend against BadCLIP on CC3M in the fine-tuning setting, however, due to limited time and computing resources, the experiments are still running. We expect to report the experimental results by the end of the reviewer-author discussion.

Q8: Threshold dependency and selection.

A: Using a small proportion of clean data for threshold selection is a common and reasonable strategy used in many backdoor defense methods. Besides, we also have conducted a detailed analysis for threshold selection based on 85% quantile in Appendix B. The variance of the threshold may indeed be high in Table 10 (i.e., your concern), but the final performance of our method is not very sensitive to a wide range of thresholds, which means, the threshold selection would not hinder the practical application of our method.

Q9: Attack Diversity.

A: This is true that the detection performance against "Rooster" is slightly lower than that against other target classes (average 3.6%) in Table 13. This may be because of the inherent diversity of target classes in terms of visual complexity and class descriptions.

Q10: Formal analysis for backdoor alignment.

A: We provide a formal analysis by mutual information. Specifically, let us denote some variables: clean image $X$, backdoor image $Z$, and text change $Y$. Due to formulation $I(X;Y)=H(Y)-H(Y|X)$, where $H(Y)$ denotes the entropy of $Y$ and $H(Y|X)$ denotes the entropy of $Y$ conditioned on $X$, we can obtain $I(X;Y) - I(Z;Y) =H(Y|Z)-H(Y|X)$. Given backdoor images $Z$, the entropy (uncertainty) of $Y$ is high because $Z$ only has a strong relationship with the target text. In contrast, clean image $X$ correlates with specific semantic description and thus makes the entropy of $Y$ relatively low. So we obtain $H(Y|Z)>H(Y|X)$, and thus $I(X; Y)>I(Z; Y)$, which means backdoor images are less sensitive to text changes than clean images. We will include the above analysis in the revised version.

Thank you very much for your positive feedback on our paper. Below, we provide point-by-point responses to address your concerns. We will be more than happy to discuss with you in the reviewer-author discussion period if there is anything unclear.

Q1: Randomness on LLM Generation: The success of generating effective prompts (especially “benign” ones) relies on high-quality language models and well-controlled generation. Although the empirical results are good, it is not very clear how to strategically control such generation.

A: Thank you for your valuable comment. In Section 4.2, we have already examined the impact of prompt variation on detection reliability, specifically analyzing the effects of prompt length and quantity. Our experimental results show that increasing the number of class-specific benign prompts generally enhances detection quality, while longer class-specific malignant prompts tend to degrade it. More importantly, our main experiments demonstrate that prompts generated with GPT-4 achieve a quality level sufficient to meet our defense requirements. Additionally, the strong and consistent detection performance observed across prompts generated by eight open-source large language models (as detailed in the Appendix) suggests that high-quality prompt generation is readily attainable.

Q2: Adaptive Attacks: The paper shows strong detection for existing backdoor attacks, but adaptive attackers might design triggers that shift embeddings in ways that mimic normal text-visual alignment. The paper could explore more robustness analysis against such adaptive strategies.

A: Thank you for your suggestion. Notably, BadCLIP-1 [1] in our experiment represents an adaptive attack, as its trigger is optimized using attribute texts of target classes, similar to the benign class descriptive texts employed in our method. As shown in Table 1, BDetCLIP maintains a high AUROC of 0.900 against BadCLIP-1, demonstrating the effectiveness of our approach in defending against adaptive attacks. Following your suggestion, we will provide a more in-depth analysis of our method’s robustness against such attacks.

References

[1] Badclip: dual-embedding guided backdoor attack on multimodal contrastive learning. In CVPR, 2024.