The image depicts a research poster explaining a data poisoning based backdoor attack on contrastive learning (CL). The poster features logos of UCLA and Duke University, indicating their involvement in the research. It provides an overview of how an attacker embeds a backdoor into an encoder by injecting poisoned images into an unlabeled pre-training dataset. This action causes the downstream classifier to predict an attacker-chosen class (target class) for any image embedded with an attacker-chosen trigger.

The poster details the attacker's knowledge, highlighting that attackers can collect reference images containing key objects and background images without manipulating the pre-training. The key idea is that CL maximizes feature similarity between two randomly cropped views of an image. If one view includes a reference object and the other the trigger, maximizing feature similarity causes the encoder to generate similar feature vectors for both, leading the classifier to predict the target class for both the reference object and any trigger-embedded image.

Figures 1 and 2 illustrate the concept, with Figure 1 showing a comparison between a reference image and a reference object, and Figure 2 comparing existing attacks (a) with CorruptEncoder (b). The limitation of existing attacks is noted as the inability to build strong correlations between the trigger and images in the target class due to randomly cropped views being from the same reference image. The poster provides a QR code and a GitHub link for more information.
Text transcribed from the image:
O
UCLA Duke
UNIVERSITY
Code available at https://github.com/jzhang538/CorruptEncoder
Overview
Data Poi
Data poisoning based backdoor attack to contrastive learning
(CL): An attacker embeds backdoor into an encoder via injecting
poisoned images into the unlabeled pre-training dataset. A
downstream classifier built based on a backdoored encoder predicts an
attacker-chosen class (called target class) for any image embedded
with an attacker-chosen trigger.
Attacker's knowledge: The attacker
can collect some reference images that
include reference objects from the
target class and some unlabeled
background images. The attacker can
not manipulate the pre-training.
Ou
Our
rand
size
the
max
imag
Resu
arou
shou
shou
Figure 1. Reference image
vs Reference object.
exclu
Key idea: CL maximizes the feature similarity between two randomly
cropped views of an image. If one view includes a reference object and
the other includes the trigger, then maximizing their feature similarity
would learn an encoder that produces similar feature vectors for the
reference object and any trigger-embedded image. A downstream
classifier would predict the target class for the reference object and
any trigger-embedded image.
Poisoned
b₁
(0,0%)
= Oh
Image
Poisoned Image
'Maximize
'Maximize
Cor
¦ Feature
'Similarity
¦ Feature
'Similarity
and
refer
(b) CorruptEncoder
Ev
Clea
(a) Existing Attack
Figure 2. Comparing existing attacks with CorruptEncoder.
Limitation of existing attacks: Two randomly cropped views of a
poisoned image are both from the same reference image->fails to
build strong correlations between the trigger and images in the target
class.
accu
imag
Atta
that
built