Self-supervised learning (SSL) is a commonly used approach to learning and encoding data representations. By using a pre-trained SSL image encoder and training a downstream classifier on top of it, impressive performance can be achieved on various tasks with very little labeled data. The increasing usage of SSL has led to an uptick in security research related to SSL encoders and the development of various Trojan attacks. The danger posed by Trojan attacks inserted in SSL encoders lies in their ability to operate covertly and spread widely among various users and devices. The presence of backdoor behavior in Trojaned encoders can inadvertently be inherited by downstream classifiers, making it even more difficult to detect and mitigate the threat. Although current Trojan detection methods in supervised learning can potentially safeguard SSL downstream classifiers, identifying and addressing triggers in the SSL encoder before its widespread dissemination is a challenging task. This is because downstream tasks are not always known, dataset labels are not available, and even the original training dataset is not accessible during the SSL encoder Trojan detection. This paper presents an innovative technique called SSL-Cleanse that is designed to detect and mitigate backdoor attacks in SSL encoders. We evaluated SSL-Cleanse on various datasets using 300 models, achieving an average detection success rate of 83.7% on ImageNet-100. After mitigating backdoors, on average, backdoored encoders achieve 0.24% attack success rate without great accuracy loss, proving the effectiveness of SSL-Cleanse.

翻译：自监督学习（SSL）是一种学习与编码数据表示的常用方法。通过使用预训练的SSL图像编码器并在其之上训练下游分类器，即可在仅有极少量标注数据的各类任务中实现卓越性能。SSL日益广泛的应用引发了针对SSL编码器的安全研究热潮，以及多种木马攻击手段的发展。植入SSL编码器中的木马攻击之所以危险，在于其具备隐蔽运作并在不同用户与设备间广泛传播的能力。被感染的编码器中的后门行为可能无意中被下游分类器继承，使得检测与缓解这一威胁更加困难。尽管当前监督学习中的木马检测方法或可保护SSL下游分类器，但在SSL编码器广泛传播前识别并处理其中的触发器仍是一项挑战。这是因为下游任务并非始终可知、数据集标签不可获取，甚至在SSL编码器木马检测时原始训练数据集亦不可访问。本文提出一种名为SSL-Cleanse的创新技术，旨在检测并缓解SSL编码器中的后门攻击。我们使用300个模型在多个数据集上评估了SSL-Cleanse，在ImageNet-100上实现了83.7%的平均检测成功率。在缓解后门后，被植入后门的编码器平均攻击成功率降至0.24%，且未造成显著精度损失，验证了SSL-Cleanse的有效性。