Abstract
Semi-supervised learning (SSL) aims to achieve competitive performance by labeling only a few training examples. However, unlabeled training examples from the wild are vulnerable to backdoor poisoning. Hence, networks trained by SSL tend to be injected with backdoors. Most existing backdoor attacks focus on labeled examples, while some backdoor poisoning methods on unlabeled examples require that SSL networks must be pre-trained on labeled examples. In this paper, we propose a backdoor poisoning method on unlabeled examples of trained-from-scratch SSL networks. We find that backdoor poisoning always fails when the poisoned unlabeled examples come from different classes, which is different from poisoning the labeled examples. The reason is that SSL algorithms always strive to correct them during training. Therefore, for unlabeled examples, we implement backdoor poisoning on examples from the target class. We propose a gradient matching strategy to craft poisoned examples such that their gradients match the gradients of target examples on the SSL network. This can fit poisoned examples to the target class and realize backdoor injection. Experiments show that our poisoning achieves state-of-the-art attack success rates on most SSL algorithms while ensuring the imperceptibility of backdoor patterns and bypassing modern backdoor defenses.
Sign-in/Register to access full text options 
Talk to us
Join us for a 30 min session where you can share your feedback and ask us any queries you have
Schedule a callDisclaimer: All third-party content on this website/platform is and will remain the property of their respective owners and is provided on "as is" basis without any warranties, express or implied. Use of third-party content does not indicate any affiliation, sponsorship with or endorsement by them. Any references to third-party content is to identify the corresponding services and shall be considered fair use under The CopyrightLaw.
