Detecting Backdoor Samples in Contrastive Language Image Pretraining

Q3: Analysis with adaptive attack

A3:

Thank you for your thoughtful suggestion. We have conducted additional experiments to analyze adaptive attacks that aim to circumvent our detection method. Specifically, we tested an adaptive attack using the following optimization objective during pretraining:

$$\mathcal{L}_{\text{CLIP}}(\mathbf{z}^x, \mathbf{z}^t) + \text{SLOF}(\mathbf{z}^{x'}), \quad \mathbf{x}' \in \mathcal{D}_b,$$

where $\mathbf{z}^x$ and $\mathbf{z}^t$ are the image and text embeddings, respectively, and $\text{SLOF}(\mathbf{z}^{x'})$ denotes the Local Outlier Factor score of the backdoor-poisoned samples $\mathbf{x}'$ in the backdoor dataset $\mathcal{D}_b$. This objective allows the attacker to minimize the outlier score of the poisoned samples during pretraining. We implemented this adaptive attack using the BadNets patch trigger, keeping all other experimental settings consistent with those in our initial submission.

The results are reported in the table below. It clearly shows that this adaptive strategy does not circumvent our detection method; in fact, it even improves our detection performance. This is because forcing the poisoned backdoor samples to mimic the density profile of clean samples is only effective within a specific neighborhood in the feature space. To fully evade detection, an attacker would need to account for all possible neighborhoods generated by various combinations of data points—a task that is computationally infeasible given the scale of web datasets, which often contain millions or even billions of samples. Therefore, our detection method remains robust even against adaptive attacks that attempt to minimize the outlier scores of poisoned samples. This reinforces the effectiveness of our approach in real-world settings where attackers may employ sophisticated strategies to hide backdoor triggers.

Thank you for taking the time to review our paper and for your valuable comments. Please find our responses to your questions below.

---

Q1: Impact of k and choice of this hyperparameter.

A1: As demonstrated in Appendix B.5, our detection method remains effective even with a 10% poisoning rate, a level that is highly unlikely in practice according to existing studies.

How to choose the hyperparameters of detection algorithms?

Appendix B.5 provides guidance on selecting the hyperparameter $k$. It suggests that the ratio $\frac{k}{b}$ (where $b$ is the batch size) should exceed the poisoning rate. In our experiments, the default batch size is 2048. For instance:

• In Appendix B.5, where $k = 256$, the ratio \frac{k}{b} = 12.5$% $.
• In Table 1, \frac{k}{b} = 0.78 $%$.

If the ratio $\frac{k}{b}$ is less than the poisoning rate, it is possible that all $k$ neighbors are poisoned data, rendering the outlier scores meaningless. Therefore, we recommend setting $\frac{k}{b}$ above the expected poisoning rate.

However, in real-world scenarios, the defender does not know the true poisoning rate. In this case, we believe k = 16 $ $ is a reasonable choice, given the cost of poisoning the dataset in practice. Furthermore, setting a larger k $(and hence a higher$ \frac{k}{b} $$ ratio) has minimal impact on detection performance.

Below, we present the detection results for $k = 256$ $($ \frac{k}{b} = 12.5$%$$)$ under poisoning rates of 0.01% to 0.1%, illustrating the robustness of our method across varying $k$ values.

---

---

Q2: Dense backdoor region demonstrated by existing work.

A2:

according to a previous study [1], the backdoor example region is much denser compared to clean examples.

The density of backdoor examples depends on the context and granularity of the analysis. The method referenced by the reviewer evaluates the entire dataset and calculates class-wise distances, where samples within the same class (including backdoor-poisoned samples) are likely to form dense clusters. In contrast, our approach examines the representation space within a randomly sampled batch, without relying on any label information. This means that our method does not assess class-wise distances, resulting in a different neighborhood context and potentially different density observations.

all the backdoor-poisoned samples contain similar features (the trigger) and are likely to be clustered together in a particular region.

In our controlled experiments, as shown in Figure 1(b), we observe that backdoor data do indeed cluster together in the representation space due to shared features like the trigger. However, when clean samples are included in the neighborhood, the backdoor data become relatively sparse compared to the clean samples. This highlights that density measures must be interpreted within the specific context of the neighborhood. It is also worth emphasizing that the outlier score (e.g., SLOF or DAO) used in our method is based on the density ratio, not absolute density. This distinction is crucial: backdoor samples may cluster tightly together in isolation, but their sparsity relative to clean samples within the local neighborhood makes them identifiable as outliers. This observation directly relates to Q1/A1, further supporting our method's ability to detect backdoor samples by leveraging the contrast between clean and backdoor samples in the local neighborhood.

Q5: lack of comparison with the latest or state-of-the-art backdoor detection methods

A5:

may lack a comparison with the latest defense

To the best of our knowledge, SafeCLIP (Yang et al., 2024) is the only backdoor data detection method specifically designed for CLIP backdoor poisoning attacks, and it represents the latest advancement in this area.

may lack a comparison with the state-of-the-art backdoor detection methods

We also included a comparison with Cognitive Distillation (CD) (Huang et al., 2023), a state-of-the-art backdoor detection method originally designed for supervised learning. CD can be adapted for CLIP backdoor detection, whereas other supervised learning methods require class labels or classification predictions, which makes them unsuitable for our context. Comparisons with both SafeCLIP and CD are presented in Table 1 of our initial submission, where local outlier detection methods demonstrate clear advantages in effectiveness.

If there are other backdoor detection methods for CLIP that we may have overlooked, we welcome reviewer recommendations and are happy to include additional comparisons in future work. Thank you for raising this important point.

---

[1] Yang, Wenhan, Jingdong Gao, and Baharan Mirzasoleiman. "Better Safe than Sorry: Pre-training CLIP against Targeted Data Poisoning and Backdoor Attacks." In ICML 2024.

[2] Huang, Hanxun, et al. "Distilling Cognitive Backdoor Patterns within an Image." In ICLR 2023.

Thank you for taking the time to review our paper and for your valuable comments. Please find our responses to your questions below.

---

Q1: Sensitivity to parameters

A1: Thank you for raising the concern. We have found that the choice of $k$ has minimal impact on the detection performance. For easier comparison, we have combined the results from Table 1 and the ablation study on $k$ in Appendix B.2 into a single table below. It shows that even when using the $k$ value that yields the lowest detection performance (DAO with $k = 256$), our method still surpasses the best baseline method (iForest) in most cases. The only exception is with the patch trigger, where iForest slightly exceeds DAO by a margin of only 0.03%. This demonstrates that our method is robust to the choice of $k$ and maintains superior performance across a range of parameter values.

---

A2: Dependency on the dataset.

Q2: Thanks for your thoughtful comment. Please refer to Appendix B.7 Table 10, where we already conducted our experiments on CC12M, which shows a consistent level of detection performance.

---

Q3: Based primarily on specific model architectures and comprehensive evaluation of different architectures.

A3: Thanks for your valuable comment. We conducted an additional experiment using ResNet-101 as the encoder for detection, with all other experimental settings consistent with the initial submission. The results indicate that the choice of architecture does not impact detection performance.

In addition to the commonly used ResNet and ViT, please let us know if there is a specific architecture of interest that you believe would further validate our findings. We would be happy to include it in our discussion during the rebuttal period. However, due to time constraints, we are currently unable to test all possible variants of ResNet and ViT. We plan to extend our analysis to include a wider range of architectures in the next version of our paper to provide a more comprehensive evaluation.

---

Q4: Applications on other datasets.

A4: Thanks for your suggestion. Our proposed method is designed to work with any image-text pair dataset. As mentioned in our response to Q2/A2, we have demonstrated that our detection method is generalizable on the CC12M dataset.

Unfortunately, due to time constraints, we were unable to download and conduct experiments on the RedCaps and WITdatasets, which contain 12 million and 38 million image-text pairs, respectively. We only managed to download 30% of the RedCaps as of today. We will do our best to provide a comparison before the rebuttal ends.

Thanks for the effort in downloading the RedCaps dataset and addressing comparisons with SafeCLIP and Cognitive Distillation. However, there are additional related works that are highly relevant to backdoor detection in pre-trained encoders and multimodal models like CLIP.

Incorporating these works into your discussion would provide a more comprehensive comparison and situate your contribution within the broader context of recent advancements in this field, including DECREE, BDetCLIP, and Adversarial Backdoor Defense (see references below). A broader evaluation of these approaches, particularly in terms of their effectiveness, computational efficiency, and applicability, would strengthen this work.

[1] Kuang, Junhao, et al. "Adversarial backdoor defense in clip." arXiv preprint arXiv:2409.15968 (2024)

[2] Niu, Yuwei, et al. "Bdetclip: Multimodal prompting contrastive test-time backdoor detection." arXiv preprint arXiv:2405.15269 (2024).

[3] Feng, Shiwei, et al. "Detecting backdoors in pre-trained encoders." Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition. 2023.

Q3: Lack of analysis on adaptive attack

A3:

Thank you for your thoughtful suggestion. We have conducted additional experiments to analyze adaptive attacks that aim to circumvent our detection method. Specifically, we tested an adaptive attack using the following optimization objective during pretraining:

$$\mathcal{L}_{\text{CLIP}}(\mathbf{z}^x, \mathbf{z}^t) + \text{SLOF}(\mathbf{z}^{x'}), \quad \mathbf{x}' \in \mathcal{D}_b,$$

where $\mathbf{z}^x$ and $\mathbf{z}^t$ are the image and text embeddings, respectively, and $\text{SLOF}(\mathbf{z}^{x'})$ denotes the Local Outlier Factor score of the backdoor-poisoned samples $\mathbf{x}'$ in the backdoor dataset $\mathcal{D}_b$. This objective allows the attacker to minimize the outlier score of the poisoned samples during pretraining. We implemented this adaptive attack using the BadNets patch trigger, keeping all other experimental settings consistent with those in our initial submission.

The results are reported in the table below. It clearly shows that this adaptive strategy does not circumvent our detection method; in fact, it even improves our detection performance. This is because forcing the poisoned backdoor samples to mimic the density profile of clean samples is only effective within a specific neighborhood in the feature space. To fully evade detection, an attacker would need to account for all possible neighborhoods generated by various combinations of data points—a task that is computationally infeasible given the scale of web datasets, which often contain millions or even billions of samples. Therefore, our detection method remains robust even against adaptive attacks that attempt to minimize the outlier scores of poisoned samples. This reinforces the effectiveness of our approach in real-world settings where attackers may employ sophisticated strategies to hide backdoor triggers.

---

---

Q4: The time efficiency comparison with baseline and scaling with number of samples.

A4: Thank you for your question regarding the time efficiency of our method. Please refer to Appendix B.1, Table 3 in our initial submission for a detailed time efficiency comparison. For your convenience, we have copy-pasted the results to the table below.

Table: Time efficiency comparison of different methods (measured in number of hours).

metrics rely on the k-nearest neighbor

For each data point, we sample a batch of data as the pool to select the nearest neighbors, as explained in Appendix A. Calculating the k-nearest neighbors involves a single matrix multiplication to compute pairwise distances, followed by sorting these distances. This operation is highly efficient on GPUs, taking approximately 0.6 seconds to process a batch of 2,048 data points, including the time for extracting embeddings using the CLIP encoder.

I am confused about how it could be an efficient strategy when the number of data samples is large.

Our approach scales linearly with the number of data points $n$, having a time complexity of $\mathcal{O}(n)$. In comparison:

• ABL (Automatic Backdoor Detection) has a time complexity of $\mathcal{O}(mn)$, where $m$ is the number of epochs needed to track sample-specific losses.
• CD (Cognitive Distillation) requires $\mathcal{O}(tn)$ time, where $t$ represents the number of optimization steps per sample.
• Isolation Forest (iForest) requires $\mathcal{O}(hn)$ time, where $h$ represents the number of trees in the ensemble.

While methods like SafeCLIP also have linear time complexity $($ \mathcal{O}(n) $)$, they are less effective than our method in detecting backdoor data.

Therefore, our method offers a favorable balance between efficiency and effectiveness, even when dealing with large-scale datasets. The linear scalability ensures that our approach remains practical and efficient as the number of samples increases, addressing concerns about processing time in large datasets.

Thank you very much for reviewing our paper and the valuable comments. Please find our response to your questions below:

---

Q1: Technical novelty

A1: According to the ICLR Reviewer Guide (2021–2025), novelty should be evaluated not only based on technical methods but also on novel findings. We believe our work offers significant contributions in both respects.

We summarize our novelty and contributions as follows:

1. Discovery of Local Outliers in Deep Representation Space: We found that backdoor data targeting CLIP models manifest as local outliers in the deep representation space. This insight led us to develop a detection method using local outlier analysis.

2. Revelation of Real-World Backdoor Data: We uncovered an actual backdoor trigger and a collection of backdoor data sourced from the Internet, which are already being incorporated into pretraining datasets.

These novel findings are important to the ICLR community.

We would like to direct the reviewer to the ICLR 2023 workshop on “Backdoor Attacks and Defenses in Machine Learning,” specifically the invited talk “Why Nobody is Using Your Backdoor Defense” by Vitaly Shmatikov [1]. The talk highlighted two key issues:

1. The lack of real-world examples of backdoors.
2. The practical complexity of existing defense methods.

Our work addresses these concerns by demonstrating that:

1. Backdoor Data Are Present in Real-World Datasets: We provide evidence that backdoor data are already present on the Web and are being used in pretraining, thus filling the gap of real-world examples.

2. Simple and Effective Defense Solutions: We propose a straightforward yet effective method for mitigating backdoor threats, countering the complexity of existing defense approaches.

In practical settings, data cleansing is an essential part of machine learning pipelines (e.g., Amazon SageMaker). Our method offers an additional step to enhance this process by efficiently detecting and filtering backdoor data, thereby mitigating the real-world backdoor threat.

To the best of our knowledge, no current backdoor data filtering methods can efficiently clean million-scale pretraining datasets. We genuinely hope the community can embrace simple yet effective solutions to address this realistic safety threat to existing pretraining paradigms.

[1] Invited Talk by Vitaly Shmatikov at the ICLR 2023 workshop: https://iclr.cc/virtual/2023/workshop/12825

---

Q2: Lack of comparison with optimized trigger BLTO

A2: Thanks for your suggestion. We have conducted additional experiments using the checkpoints provided in the BLTO open-source repository, specifically those trained on CIFAR-10 and ImageNet-100. All other experimental settings remained consistent with those in our initial submission.

The detection results, presented in the table below, demonstrate that BLTO triggers can also be effectively detected by our method. This confirms that our approach is robust against optimized triggers like BLTO. Therefore, all the conclusions drawn in our initial submission apply to BLTO as well.