Invisible Backdoor Attack against Self-supervised Learning

Hanrong Zhang; Zhenting Wang; Boheng Li; Fulin Lin; Tingxu Han; Mingyu Jin; Chenlu Zhan; Mengnan Du; Hongwei Wang; Shiqing Ma

doi:10.1109/CVPR52734.2025.02402

Invisible Backdoor Attack against Self-supervised Learning

Hanrong Zhang
, Zhenting Wang
, Boheng Li
, Fulin Lin
, Tingxu Han
, Mingyu Jin
, Chenlu Zhan
, Mengnan Du
, Hongwei Wang
, Shiqing Ma

Data Science

Research output: Contribution to journal › Conference article › peer-review

1 Scopus citations

Abstract

Self-supervised learning (SSL) models are vulnerable to backdoor attacks. Existing backdoor attacks that are effective in SSL often involve noticeable triggers, like colored patches or visible noise, which are vulnerable to human inspection. This paper proposes an imperceptible and effective backdoor attack against self-supervised models. We first find that existing imperceptible triggers designed for supervised learning are less effective in compromising self-supervised models. We then identify this ineffectiveness is attributed to the overlap in distributions between the backdoor and augmented samples used in SSL. Building on this insight, we design an attack using optimized triggers disentangled with the augmented transformation in the SSL, while remaining imperceptible to human vision. Experiments on five datasets and six SSL algorithms demonstrate our attack is highly effective and stealthy. It also has strong resistance to existing backdoor defenses. Our code can be found at https://github.com/Zhang-Henry/INACTIVE.

Original language	English (US)
Pages (from-to)	25790-25801
Number of pages	12
Journal	Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition
DOIs	https://doi.org/10.1109/CVPR52734.2025.02402
State	Published - 2025
Event	2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2025 - Nashville, United States Duration: Jun 11 2025 → Jun 15 2025

All Science Journal Classification (ASJC) codes

Software
Computer Vision and Pattern Recognition

Keywords

backdoor attack
self-supervised learning

Access to Document

10.1109/CVPR52734.2025.02402

Cite this

@article{c554035f74974bd2ac2d1a5c826215d9,

title = "Invisible Backdoor Attack against Self-supervised Learning",

abstract = "Self-supervised learning (SSL) models are vulnerable to backdoor attacks. Existing backdoor attacks that are effective in SSL often involve noticeable triggers, like colored patches or visible noise, which are vulnerable to human inspection. This paper proposes an imperceptible and effective backdoor attack against self-supervised models. We first find that existing imperceptible triggers designed for supervised learning are less effective in compromising self-supervised models. We then identify this ineffectiveness is attributed to the overlap in distributions between the backdoor and augmented samples used in SSL. Building on this insight, we design an attack using optimized triggers disentangled with the augmented transformation in the SSL, while remaining imperceptible to human vision. Experiments on five datasets and six SSL algorithms demonstrate our attack is highly effective and stealthy. It also has strong resistance to existing backdoor defenses. Our code can be found at https://github.com/Zhang-Henry/INACTIVE.",

keywords = "backdoor attack, self-supervised learning",

author = "Hanrong Zhang and Zhenting Wang and Boheng Li and Fulin Lin and Tingxu Han and Mingyu Jin and Chenlu Zhan and Mengnan Du and Hongwei Wang and Shiqing Ma",

note = "Publisher Copyright: {\textcopyright} 2025 IEEE.; 2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2025 ; Conference date: 11-06-2025 Through 15-06-2025",

year = "2025",

doi = "10.1109/CVPR52734.2025.02402",

language = "English (US)",

pages = "25790--25801",

journal = "Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition",

issn = "1063-6919",

publisher = "IEEE Computer Society",

}

TY - JOUR

T1 - Invisible Backdoor Attack against Self-supervised Learning

AU - Zhang, Hanrong

AU - Wang, Zhenting

AU - Li, Boheng

AU - Lin, Fulin

AU - Han, Tingxu

AU - Jin, Mingyu

AU - Zhan, Chenlu

AU - Du, Mengnan

AU - Wang, Hongwei

AU - Ma, Shiqing

PY - 2025

Y1 - 2025

N2 - Self-supervised learning (SSL) models are vulnerable to backdoor attacks. Existing backdoor attacks that are effective in SSL often involve noticeable triggers, like colored patches or visible noise, which are vulnerable to human inspection. This paper proposes an imperceptible and effective backdoor attack against self-supervised models. We first find that existing imperceptible triggers designed for supervised learning are less effective in compromising self-supervised models. We then identify this ineffectiveness is attributed to the overlap in distributions between the backdoor and augmented samples used in SSL. Building on this insight, we design an attack using optimized triggers disentangled with the augmented transformation in the SSL, while remaining imperceptible to human vision. Experiments on five datasets and six SSL algorithms demonstrate our attack is highly effective and stealthy. It also has strong resistance to existing backdoor defenses. Our code can be found at https://github.com/Zhang-Henry/INACTIVE.

AB - Self-supervised learning (SSL) models are vulnerable to backdoor attacks. Existing backdoor attacks that are effective in SSL often involve noticeable triggers, like colored patches or visible noise, which are vulnerable to human inspection. This paper proposes an imperceptible and effective backdoor attack against self-supervised models. We first find that existing imperceptible triggers designed for supervised learning are less effective in compromising self-supervised models. We then identify this ineffectiveness is attributed to the overlap in distributions between the backdoor and augmented samples used in SSL. Building on this insight, we design an attack using optimized triggers disentangled with the augmented transformation in the SSL, while remaining imperceptible to human vision. Experiments on five datasets and six SSL algorithms demonstrate our attack is highly effective and stealthy. It also has strong resistance to existing backdoor defenses. Our code can be found at https://github.com/Zhang-Henry/INACTIVE.

KW - backdoor attack

KW - self-supervised learning

UR - https://www.scopus.com/pages/publications/105017099188

UR - https://www.scopus.com/pages/publications/105017099188#tab=citedBy

U2 - 10.1109/CVPR52734.2025.02402

DO - 10.1109/CVPR52734.2025.02402

M3 - Conference article

AN - SCOPUS:105017099188

SN - 1063-6919

SP - 25790

EP - 25801

JO - Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition

JF - Proceedings of the IEEE Computer Society Conference on Computer Vision and Pattern Recognition

T2 - 2025 IEEE/CVF Conference on Computer Vision and Pattern Recognition, CVPR 2025

Y2 - 11 June 2025 through 15 June 2025

ER -

Invisible Backdoor Attack against Self-supervised Learning

Abstract

All Science Journal Classification (ASJC) codes

Keywords

Access to Document

Other files and links

Fingerprint

Cite this