Robustness of semi-supervised deep learning model against backdoor attacks

Abstract

Deep neural networks (DNNs) have revolutionized computer vision (CV), particularly in object detection and image classification applications. However, annotating data is a costly and time-consuming process that limits the amount of labeled data available for model training. Semi-supervised learning (SSL) addresses this issue by utilizing a small portion of labeled data to learn underlying patterns and justify unlabeled data without sacrificing prediction performance.

It has been demonstrated that DNNs trained by supervised learning (SL) algorithms are susceptible to data poisoning backdoor attacks. Imperceptible malicious behaviors can be embedded into activated DNNs and cause target misclassification when a specific “trigger” exists. This is due to DNNs excessive learning ability that could build a latent connection between the trigger pattern and target labels. However, the effectiveness of such backdoor attacks is rarely studied under SSL settings.

Therefore, this project aims to evaluate the robustness of semi-supervised learning methods against backdoor attacks. The data-augmentation-based backdoor attack is selected in our evaluation. The attack trigger is applied separately to each image channel (R, G, B) and forms a composite trigger imperceptible to a human. This attack is conducted on a MobileNetV3 model trained on the Cifar-10 dataset using the SSL algorithm. The results show a dramatically high attack success rate of 96%, even with just a 1% injection rate of backdoored samples.

This final-year project (FYP) aims to contribute to developing more secure semi-supervised learning methods that can be applied to practical applications in computer vision and methods to improve its security.