Backdoor Contrastive Learning via Bi-level Trigger Optimization

Q4&Q5. More diverse choices of backbone architecture and dataset. Extended to more tasks beyond classification.

Thanks for your suggestion. We have added additional experiments on more model architectures: we evaluate our attack when the victim adopts ViT (e.g., ViT small/16 on ImageNet-100 via SimCLR), RegNetX and RegNetY (e.g., regnety_200mf, regnety_400mf on CIFAR-10 via SimCLR). The surrogate models use SimSiam (the default setting in our Table 1). Results on ViT can be found in Appendix C.4 (Table 8), and results on RegNetX, RegNetY is attached in Table 2. We also provide the results as follows:

Above experimental results indicates that our BLTO attack presents remarkable effectiveness across more modern DNN backbones. Given time constraints, it is not quite possible for us to conduct even larger experiments on full ImageNet data. In terms of target learning task, we mainly focus on the classification task following the common practice in this area [3, 4, 5] and we would be happy to extend it into other tasks in our future work.

References

[1] Tongzhou Wang and Phillip Isola. "Understanding contrastive representation learning through alignment and uniformity on the hypersphere." PMLR 2020.

[2] He, Hao et al. "Indiscriminate Poisoning Attacks on Unsupervised Contrastive Learning." (ICLR 2023)

[3] Li, Changjiang et al. "An Embarrassingly Simple Backdoor Attack on Self-supervised Learning." (arXiv 2023, this is the official edited version of CTRL)

[4] Saha et al. "Backdoor Attacks on Self-Supervised Learning." CVPR 2022.

[5] "CorruptEncoder: Data Poisoning based Backdoor Attacks to Contrastive Learning." (arXiv 2023)

Q1. Lack of details: K, J and their relationship with N, Figure 4, re-initialization

Thank you for your sugguestion. We added all these details in the revised paper for better clarity:

• In Algorithm 1, K and J depend only on the batch size and the total number of data points in the involved dataset. K is calculated via (len of backdoored dataset)/(batch size), and J is calculated via (len of clean dataset)/(batch size). On the other hand, N is independent from K and J (in our default settings, N is 400). We also provide a typical plot (inner and outer loss objectives with N steps) during the bi-level trigger optimization in Appendix C.7, and we can observe that such a design already leads to a converging loss curve.

• All data in Figure 4 reflects the victim's training stage: the victim is using the backdoored dataset to pre-train encoder via CL. The x-axis in Figure 4 refer to the victim's training epoch. At this stage, the attacker has finished the trigger optimization and cannot intervene the victim's training process. Therefore, it is fair to make the comparison between our attack and others, as the difference only lies in different poisoning data injected in the victim's training set.

• For "regularly re-initialization", we meant to re-initialize the surrogate feature extractor every N bi-level optimization steps and repeat the procedure for M times. In our experiment, we repeat for M=2 times. The reason to perform re-initialization is to prevent the trigger generator from overfitting to one particular surrogate models (so we reset it and retrain another surrogate model after certain time).

Q2. What determines superior transferable ability of the chosen surrogate CL framework (SimSiam)?

Note that although we pick SimSiam as our default surrogate CL framework, our method could also work with other CL frameworks. Here we provide the attack performance (on CIFAR-10) with another two CL frameworks (BYOL and SimCLR) as surrogate models.

We can observe that the attack transferability is not limited to a specific surrogate CL method. We have include these experimental results in Appendix C. 6 (Table 10). We believe the key reason is that though CL frameworks differ with each other in work flows (negative pairs, loss function designs, etc), their core mechanisms are similar (i.e., alignment and uniformity), as discussed in Section 3. This allows our trigger generator fits other CL frameworks easily once it succeed in backdooring one particular CL framework (i.e., the surrogate CL framework in our algorithm). Such a transferable ability across different CL frameworks is also reported by existing work [2].

Q3. Does the co-training surrogate backdoored model perform as well as an backdoored model actually trained on the poisoned data?

Thanks for the question. We provide the surrogate model's performance in the following (framework: SimSiam, dataset: CIFAR-10, backbone: resnet18). For comprison, we also showed victim model's performance after the same training epoch as the surrogate model.

Here are our observation and analysis based on our above experimental records.

• For ASR, the surrogate backdoored model performs better than an backdoored model actually trained on the poisoned data. This is easy to understand since the trigger generator is directly optimized from the surrogate backdoored model, making it fit the surrogate model better.

• For backdoor accuracy (BA), the surrogate backdoored model performs similar with an backdoored model actually trained on the poisoned data, as they both learn knowledge from those clean data points.

We really appreciate the constructive comments from reviewer Tcds, which significantly enhance the quality of our work. As we approach the end of discussion stage, we would like to ask if there are any additional comments regarding our response, and we are more than happy to address them. Additionally, we would appreciate if you could consider updating your scores if our rebuttal has satisfactorily addressed your concerns. Thanks again for your time and effort in providing thoughtful feedback!

Thank you for your constructive suggestions to strengthen our work. We hope our following response addresses your concerns, and we are more than willing to answer any follow-up questions.

Q1. Claim on "fixed trigger design" and ablation study using trigger generator alone.

Thanks for the insight. In fact, our ablation study in Appendix C.3 (Table 7) was designed to answer this question. Specifically, in Table 7, the case w/o inner optimization exactly corresponds to your desired case: the generator is used but the bi-level formulation is disabled (i.e., the generator is only optimized on a pretrained clean encoder). We copy the results as follows:

Observe that without bi-level optimization, the generator still presented a certain level of backdoor effectiveness. This partially suggests the ineffectiveness of "fixed trigger design". However, simply adopting the generator is still not satisfactory and we found that utilizing bi-level optimization can further boost the performance.

We have also adjusted expressions about "fixed trigger design" in the paper to avoid possible misunderstanding. In our context, "fixed trigger design" indicates those triggers that are not optimized, such as fixed patch in SSL backdoor [1].

Q2. Additional experiments using SimCLR or BYOL as the surrogate CL method.

Thanks for the insight. In fact, our bi-level trigger optimization is not restrictive to a specific CL framework, and all unsupervised CL methods can serve as surrogate methods. To verify this, our supplementary ablation study (with SimCLR and BYOL as the sorrogate methods) on CIFAR-10 is shown as follows (along with SimSiam already presented in our Table 1):

We can observe that our BLTO attacks can be effective on various surrogate CL methods. We have include these experimental results in Appendix C. 6 (Table 10).

Q3. Comparison with PoisonedEncoder and CorruptEncoder.

Thanks for pointing out these works. We have added corresponding discussions of them in related works, preliminaries and methdologies.

• PoisonedEncoder[2]: We notice that this work's threat model is different from ours: it intends to fool the victim's encoder to misclassify attacker's select inputs (not all inputs attached with trigger) into target categories. Therefore, it is not a backdoor attack method and thus the objectives in loss functions are actually different. Indeed, PoisonedEncoder also proposed a bi-level optimization fomulation. However, it finally resort to non-iterative heuristic solutions, potentially due to the challenges in solving their corresponding bi-level problem. We have included this discussion in related works section.

• CorruptEncoder[3]: This is indeed a revelent work and we have already discussed it in our related works. We did not compare with CorruptEncoder mainly due to their unique triggered image generation design: they need to combine background images with objects in various ways. Such a design make it difficult to perform on small size image datasets, such as CIFAR-10 and CIFAR-100. Also they have not yet published the code or processed object/background images and thus it is nontrivial to reproduce the method at the current stage.

Q4. If the reference data is randomly sampled from the target class? Does it need to be included in the downstream dataset to ensure the success of the attack?

The reference data is randomly sampled from the target class. For instance, suppose "truck" is the target class, we randomly sample 500 "truck" images (from CIFAR-10) as reference data. We added more classifications to the procedure in Appendix A.2.

The reference data is not required to be included in the victim's downstream dataset to ensure the success of the attack. To verify this, we conduct a new experiment where we changed the downstream dataset to STL-10 dataset while the reference data is from CIFAR-10. The victim could use SimCLR, BYOL or SimSiam to train their ResNet-18 backbone. The downstream classifier is a linear DNN, similar to BadEncoder [4]. We added this evaluation in Appendix C.6 (Table 15) and list the results as follows:

The results indicate that our attack doesn't require the overlapping between reference data and downstream dataset to obtain a good attack performance.

References

[1] Saha et al. Backdoor Attacks on Self-Supervised Learning. CVPR 2022.

[2] Hongbin Liu et al, "PoisonedEncoder: Poisoning the Unlabeled Pre-training Data in Contrastive Learning" (Usenix Security 2022)

[3] CorruptEncoder: Data Poisoning based Backdoor Attacks to Contrastive Learning.

[4] Jia et al., BadEncoder: Backdoor Attacks to Pre-trained Encoders in Self-Supervised Learning. IEEE S&P 2022.

We really appreciate the constructive comments from reviewer KWn8, which significantly enhance the quality of our work. As we approach the end of discussion stage, we would like to ask if there are any additional comments regarding our response, and we are more than happy to address them. Additionally, we would appreciate if you could consider updating your scores if our rebuttal has satisfactorily addressed your concerns. Thanks again for your time and effort in providing thoughtful feedback!

Thank you for the comments to help clarify our work. We hope our following response addresses your concerns, and we are more than willing to answer further questions.

Q1. The baseline implementations and results seem questionable based on inconsistencies attack success rates for SSL backdoor and CTRL from prior works.

We are sorry for the confusion and we believe it is just a misunderstanding. We have provided detailed discussion and make it clear in Appendix C.8.

In fact, the ASR difference is due to the contrastive learning (CL) implementation adopted by the victim, which can be seen from the model accuracy on clean data: using our CL implementation, the victim encoder can achieve almost $90\%$ BA (i.e., ACC) on CIFAR-10; while with the original CTRL's CL implementation, the encoder achieves $80\%$ ACC on CIFAR-10 (i.e., Table 1 in CTRL [1]).

In the following, we provide detailed evidences (e.g., CL implementation difference, related works and codes) to demonstrate the fidelity of our experiment on SSL backdoor and CTRL. We hope this can clarify your doubts about our implementation and result.

1. Difference in CL implementation that results in different ASRs and ACCs: our CL implementation for victim follows standard contrastive learning practices (i.e., SimCLR [4]), which differs from CTRL's CL implementation in 1) data normalization, and 2) batch-wise data augmentation strategy. Specifically, in CTRL's official implementation, it did not use instance-specific data augmentation within the batch during training and data normalization during testing, which leads to an encoder with a lower ACC/BA and a higher ASR.

2. Reason of not using CTRL's CL implementation: note that in our threat model, the attacker cannot control how the victim train the actual CL model. In practice, victims would prefer adopting CL that produces a more accurate encoder with higher ACC. In fact, our CL implementation follows standard practices with matching ACC: SimCLR (Table B.5 in [4]) reports 90.6% ACC for ResNet on CIFAR-10, which is close to our reported 90% ACC / BA in Table 1. However, the SimCLR implemented in CTRL only achieves 80.5% ACC (Table 1 in CTRL [1]). Besides, CTRL's CL on ImageNet-100 has 42.2% ACC, which is even lower than ACC on the whole ImageNet (around 69% ACC in Table 6 of [4]). Therefore, we believe that we actually considered a more practical scenario for the victim's CL implementation.

3. Existing work [3] reports similar ASR as ours (on CTRL and SSL backdoor): our reported ASR of CTRL and SSL backdoor on ImageNet-100 is consistent with those in [3]. To be specific, Table 1 and Table 2 in [3] report CTRL on ImageNet100 with 28.8% ASR and SSL backdoor with 14.3% ASR, and their ACCs / BAs are about 70%. These results in general match ours on ImageNet-100, e.g., CTRL with 35.62% ASR, SSL backdoor with 13.10% ASR, and their 70% ACC / BA). Note that 70% ACC / BA in our works and [3] matches common CL practices, higher than 40% ACC / BA in CTRL (Table 1 of CTRL [1]).

4. An anonymous GitHub repository is provided to reproduce our results and CTRL's results, please check https://anonymous.4open.science/r/CTRL_correctness-9D51. Here in the victim contrastive learning procedure, the victim uses SimCLR to train a ResNet18 backbone on backdoored CIFAR-10 (as in CTRL [1] Table 1 and ASSET [2] Table 5). Directly excuting the following Python files in the repository can reproduce CTRL's and our results:

   • main_train.py: CTRL's contrastive learning implementation following their GitHub repository "https://github.com/meet-cjli/CTRL/tree/master," which can report a similar ASR (80+%) and similar ACC (80+%) in CTRL [1].
   • main_train_my.py: our contrastive learning implementation, which reports CTRL's performance with similar ASR (30+%) and ACC (90+%) in our paper. The major differences in our CL implementation are detailed above and in this anonymous repository.

Q2. Discuss on using more accurate Hessian approximations to solve the proposed bi-level optimization.

We sincerely thank you for the suggestion. We added a convergence plot Figure 11 for solving this bi-level optimization problem, and we can observe that our adopted interleaving update strategy is already effective and leads to convergent training loss. Note that such a design is natural and widely adopted in many different problems (such as [5][6]). In fact, [7] actually showed that omitting the second derivatives does not lead to major performance change on the bi-level solution. While Hessian approximations could potentially provide a more accurate solution, it could also bring a higher computation complexity and time cost due to the calculation on the second derivatives, which limits the attack practicability on large-scale datasets. We add this discussion in Appendix C.7.

Q3. Related work discussion on backdoor attack [8] and backdoor sample detection [2].

Thank you for the suggestions. We have added discussion to these works [2, 8] in Section 2.

Comparison with Narcissus [8]: Narcissus is primarily designed for clean-label backdoor attack in supervised learning, which is different from our contrastive learning setting. Specifically, this attack synthesizes triggers using not only the target class, but also a supervised surrogate model (obtained from labeled datasets), while our threat model assumes no access to such a supervised surrogate model by default but trains a surrogate encoder via contrastive learning on an unlabeled dataset. Due to this difference in attack knowledge, this work is not directly comparable of our work but we have discussed it in the updated paper.

Evaluation under ASSET [2]: while we have provided an evaluation against multiple backdoor defenses in Section 5.3, we are happy to further evaluate under this suggested one and include it in Section 5.3 and Appendix C.5. Specifically, on our backdoored CIFAR-10 data (with poisoning rate 1%), we used ASSET to sift backdoored data points, and caluclated True Positive Rate TPR = 5.39% and False Positive Rate FPR = 32.17%. This low TPR and high FPR indicate that our backdoor can still effectively resist ASSET's detection.

References

[1] Li, Changjiang et al. An Embarrassingly Simple Backdoor Attack on Self-supervised Learning. (arXiv 2023, this is the official edited verison of CTRL)

[2] Pan, Minzhou, et al. "ASSET: Robust Backdoor Data Detection Across a Multiplicity of Deep Learning Paradigms." Usenix Security (2023).

[3] Zhang, Jinghuai, et al. "CorruptEncoder: Data Poisoning based Backdoor Attacks to Contrastive Learning." arXiv preprint arXiv:2211.08229 (2022).

[4] Ting Chen, et al. "A Simple Framework for Contrastive Learning of Visual Representations" ICML 2020.

[5] Hanxun Huang, et al. "Unlearnable Examples: Making Personal Data Unexploitable" ICLR 2021.

[6] Aleksander Madry et al. "Towards Deep Learning Models Resistant to Adversarial Attacks" ICLR 2018.

[7] Chelsea Finn, et al. "Model-Agnostic Meta-Learning for Fast Adaptation of Deep Networks." ICML 2017.

[8] Zeng, Yi, et al. "Narcissus: A practical clean-label backdoor attack with limited information." ACM CCS (2023)

Thank you for your constructive suggestions to strengthen our work. We hope our following response addresses your concerns, and we are more than willing to answer any follow-up questions.

Q1. Include more self-supervised learning methods such as Jigsaw, MoCoV2, and DINO, and more model architectures such as ViT and RegNetY in Table 1 and Table 2.

We appreciate your suggestion and have included more results in Table 2, Appendix C.4 (Table 8) and Appendix C.6 (Table 14).

More self-supervised learning methods: we further evaluate the effectiveness of our attack when the victim uses MoCo [1] on CIFAR-10, and the surrogate model uses SimSiam (the same setting with our Table 1). Results are reported in C.6 (Table 14) and as follows:

According to above results, our attack maintains effective in MoCo and can still outperform existing CL attacks prominently.

More model architectures: we evaluate our attack when the victim adopts ViT [2] (e.g., ViT small/16 on ImageNet-100 via SimCLR), RegNetX and RegNetY [3] (e.g., regnety_200mf, regnety_400mf on CIFAR-10 via SimCLR). The surrogate models uses SimSiam (the same setting with our Table 1). Results on ViT can be found in Appendix C.4 (Table 8), and results on RegNetX, RegNetY is attached in Table 2. We also provide the results as follows:

Above experimental results indicates that our BLTO attack presents remarkable effectiveness across more modern DNN backbones.

Q2. Discussion on varying hyper-parameters used in surrogate model and victim model.

Thanks for pointing out this. We have added a suggested analysis in Appendix C.6 and list the results as follows.

Surrogate model: when optimizing the trigger, by default, we train a surrogate ResNet18 model on CIFAR-10 via Simsiam. We set batch size=512, and use a dynamic learning rate (with a cosine scheduler, base lr=0.03, final lr=0).

Victim model: suppose the victim trains a ResNet18 backbone on CIFAR-10 via SimCLR. To evaluate whether different hyper-parameters used by victim will influence the attack effectiveness, we vary the batch size of victim in {256, 512, 1024} and scale surrogate model's learning rate by {$\times 0.5$, $\times 1$, $\times 2$}:

From above results, we find that our attack can retain effectiveness even though the victim's CL methods, hyper-parameters differ from the attacker's.

Q3. Discussion on using different pre-training dataset and downstream dataset.

Thanks for this important insight. In fact, our evaluation in Table 3 was designed for such practical scenario. For example in Table 3, the column 1% indicates that 1% of the pre-training dataset contains CIFAR-10 data (i.e., 500 CIFAR-10 data points) and the rest 99% are CIFAR-100 data (i.e., 49500 CIFAR-100 data points), while the downstream dataset is 100% CIFAR-10 data (i.e., 50000 CIFAR-10 data points). In this case, the downstream dataset and the pre-training dataset are not the same, while our attack success rate is still remarkable.

We now further consider a more challenging case when the victim uses backdoored CIFAR-10 for pre-training and uses STL-10 for downstream evaluation. The victim could use SimCLR, BYOL or SimSiam to train their ResNet-18 backbone. The downstream classifier is a linear DNN, similar to BadEncoder [4]. We added this evaluation in Appendix C.6 (Table 15) and list the results as follows:

The results indicate that our attack doesn't require the overlapping between pre-trained dataset and downstream dataset to obtain a good attack performance.

Q4. Discussion on existing work Carlini et al. [5] in the field of poisoning-based backdoor attacks on contrastive learning.

Thanks for your pointing out this interesting work. We have discussed it in Section 2, and here we provide our understanding on this work.

[5] backdoors the CLIP model which targets on image-text pairs $(a, b)$. It works by inserting backdoor trigger in image $a$ and adjusting the text in $b$ that corresponds to a downstream label of interest, such that the pre-trained encoder can associate the trigger with the target text. In this sense, the backdoor mechanism in [5] is still similar to supervised learning setting where the text can be regarded as the "label" for image.

Our backdoor attack focuses on a different contrastive learning (CL) scenario with a single image modality $a$, and thus there is no "label" information at all. Therefore, the difficulty lies in how to enforce the encoder to associate the trigger with a target category, which is not relevent to [5]'s strategy.

Q5. The robustness under Feng et al. [6] is not discussed. Is the backdoor samples in the proposed method have high cosine similarity between each other?

Thanks for poiting out this possible defense. We are happy to further evaluate our attack under this defense method via trigger inversion in Section 5.3 and Appendix C.5. Specifically, we examined our backdoored ResNet18 encoder (pretrained on the backdoored CIFAR-10 via SimCLR using the same configuration in our Table 4 and Table 5) and report the results for L1-norm and P1-norm here.

According to the default threshold in [6], if the P1-norm $<0.1$, it's likely that the encoder is "backdoored". The results show that P1-norm can not really differentiate clean and backdoored encoder. We argue that this is because our backdoor trigger is image-specific (generator-based), which somehow provide the robustness over these trigger inversion defenses (including [7, 8] covered in our paper).

Q6. The usages of the surrogate models and the bi-level optimization is not new [9, 10], which somehow weaken the contributions of this paper.

We agree that these techniques are indeed widely used, even in a broader field than ML security. However, we believe our main contribution is identifying the weakness of existing CL attacks (e.g., the failure of compromising CL's uniformity mechanism discussed in Section 3 and Section 5.4), which naturally motivates us to formulate our trigger optimization problem. The surrogate model and bi-level optimization techniques are just tools for us to realize our novel motivation. Therefore, in our viewpoints, our contribution doesn't lie in the adoption of "surrogate models and bi-level optimization" themselves, but in how we formulate our desired goals and use these tools to solve them.

References

[1] Chen et al., "Improved Baselines with Momentum Contrastive Learning." arXiv 2020.

[2] Alexey Dosovitskiy, et al., "An Image is Worth 16x16 Words: Transformers for Image Recognition at Scale" ICLR 2021.

[3] Xu, Jing, et al., "RegNet: Self-Regulated Network for Image Classification" TNNLS 2023.

[4] Jia et al., "BadEncoder: Backdoor Attacks to Pre-trained Encoders in Self-Supervised Learning." IEEE S&P 2022.

[5] Carlini et al., "Poisoning and Backdooring Contrastive Learning." ICLR 2022.

[6] Feng et al., "Detecting Backdoors in Pre-trained Encoders." CVPR 2023.

[7] Bolun Wang et al., "Neural Cleanse: Identifying and Mitigating Backdoor Attacks in Neural Networks." IEEE S&P 2019

[8] Mengxin Zheng et al., "SSl-cleanse: Trojan detection and mitigation in self-supervised learning." CVPR 2023

[9] Souri et al., "Sleeper Agent: Scalable Hidden Trigger Backdoors for Neural Networks Trained from Scratch." NeurIPS 2022.

[10] Zhu et al., "Boosting Backdoor Attack with A Learnable Poisoning Sample Selection Strategy." arXiv 2023.

We really appreciate the constructive comments from reviewer Saos, which significantly enhance the quality of our work. As we approach the end of discussion stage, we would like to ask if there are any additional comments regarding our response, and we are more than happy to address them. Additionally, we would appreciate if you could consider updating your scores if our rebuttal has satisfactorily addressed your concerns. Thanks again for your time and effort in providing thoughtful feedback!