ML Security PapersDSBA: Dynamic Stealthy Backdoor Attack with Collaborative Optimization in Self-Supervised Learning
Jiayao Wang 1, Mohammad Maruf Hasan 1, Yiping Zhang 1, Xiaoying Lei 1, Jiale Zhang 1, Qilin Wu 2, Junwu Zhu 1, Dongfang Zhao 3
Published on arXiv
2603.02849
Model Poisoning
OWASP ML Top 10 — ML10
Key Finding
DSBA significantly enhances Attack Success Rate and stealthiness in SSL backdoor attacks while maintaining downstream task accuracy and outperforming existing attacks under mainstream defense methods.
DSBA (Dynamic Stealthy Backdoor Attack)
Novel technique introduced
Self-Supervised Learning (SSL) has emerged as a significant paradigm in representation learning thanks to its ability to learn without extensive labeled data, its strong generalization capabilities, and its potential for privacy preservation. However, recent research reveals that SSL models are also vulnerable to backdoor attacks. Existing backdoor attack methods in the SSL context commonly suffer from issues such as high detectability of triggers, feature entanglement, and pronounced out-of-distribution properties in poisoned samples, all of which compromises attack effectiveness and stealthiness. To that, we propose a Dynamic Stealthy Backdoor Attack (DSBA) backed by a new technique we term Collaborative Optimization. This method decouples the attack process into two collaborative optimization layers: the outer-layer optimization trains a backdoor encoder responsible for global feature space remodeling, aiming to achieve precise backdoor implantation while preserving core functionality; meanwhile, the inner-layer optimization employs a dynamically optimized generator to adaptively produce optimally concealed triggers for individual samples, achieving coordinated concealment across feature space and visual space. We also introduce multiple loss functions to dynamically balance attack performance and stealthiness, in which we employ an adaptive weight scheduling mechanism to enhance training stability. Extensive experiments on various mainstream SSL algorithms and five public datasets demonstrate that: (i) DSBA significantly enhances Attack Success Rate (ASR) and stealthiness while maintaining downstream task accuracy; and (ii) DSBA exhibits superior robustness against existing mainstream defense methods.
Key Contributions
- Collaborative Optimization framework decoupling backdoor training into an outer-layer backdoor encoder (global feature space remodeling) and an inner-layer dynamic trigger generator (per-sample concealed trigger synthesis).
- Adaptive weight scheduling mechanism with multiple loss functions that dynamically balance attack performance and stealthiness across feature and visual spaces.
- Demonstrated high ASR and stealthiness on five datasets across mainstream SSL algorithms (SimCLR, MoCo, BYOL, etc.) with robustness against existing defenses such as spectral signatures, activation clustering, and ShrinkPad.
🛡️ Threat Analysis
DSBA is a backdoor/trojan attack that embeds hidden, trigger-activated malicious behavior into SSL encoder models during training. The outer-layer trains a backdoor encoder for feature space remodeling while the inner-layer dynamically generates optimally concealed triggers — a textbook neural trojan attack with targeted activation on trigger presence and normal behavior otherwise.