The field of few-shot learning (FSL) has shown promising results in scenarios
where training data is limited, but its vulnerability to backdoor attacks
remains largely unexplored. We first explore this topic by first evaluating the
performance of the existing backdoor attack methods on few-shot learning
scenarios. Unlike in standard supervised learning, existing backdoor attack
methods failed to perform an effective attack in FSL due to two main issues.
Firstly, the model tends to overfit to either benign features or trigger
features, causing a tough trade-off between attack success rate and benign
accuracy. Secondly, due to the small number of training samples, the dirty
label or visible trigger in the support set can be easily detected by victims,
which reduces the stealthiness of attacks. It seemed that FSL could survive
from backdoor attacks. However, in this paper, we propose the Few-shot Learning
Backdoor Attack (FLBA) to show that FSL can still be vulnerable to backdoor
attacks. Specifically, we first generate a trigger to maximize the gap between
poisoned and benign features. It enables the model to learn both benign and
trigger features, which solves the problem of overfitting. To make it more
stealthy, we hide the trigger by optimizing two types of imperceptible
perturbation, namely attractive and repulsive perturbation, instead of
attaching the trigger directly. Once we obtain the perturbations, we can poison
all samples in the benign support set into a hidden poisoned support set and
fine-tune the model on it. Our method demonstrates a high Attack Success Rate
(ASR) in FSL tasks with different few-shot learning paradigms while preserving
clean accuracy and maintaining stealthiness. This study reveals that few-shot
learning still suffers from backdoor attacks, and its security should be given
attention.
Few-shot learning (FSL) has emerged as a promising approach in scenarios where training data is limited. However, its vulnerability to backdoor attacks has not been widely explored. This article discusses the challenges faced by existing backdoor attack methods when applied to FSL and introduces a new approach called the Few-shot Learning Backdoor Attack (FLBA) to demonstrate that FSL can still be susceptible to such attacks.
One key challenge highlighted is the overfitting of models in FSL, where they tend to focus on either the benign features or the trigger features. This creates a trade-off between achieving a high attack success rate and maintaining a good level of benign accuracy. The limited number of training samples in FSL exacerbates this issue, making it easier for victims to detect the presence of dirty labels or visible triggers in the support set, thus reducing the stealthiness of the attacks.
To address these challenges, the FLBA introduces a trigger generation technique that maximizes the gap between poisoned and benign features. This allows the model to learn both the benign and trigger features, mitigating the overfitting problem. In order to enhance stealthiness, the FLBA hides the trigger by optimizing imperceptible perturbations, specifically attractive and repulsive perturbations. Instead of directly attaching the trigger to the samples, these perturbations disguise the trigger while still affecting the model’s decision-making.
By poisoning all samples in the benign support set with the hidden trigger and fine-tuning the model on this poisoned support set, the FLBA achieves a high Attack Success Rate (ASR) in FSL tasks across different few-shot learning paradigms. Importantly, this is achieved while preserving clean accuracy and maintaining stealthiness.
This study sheds light on the fact that few-shot learning is not immune to backdoor attacks. The multi-disciplinary nature of this concept becomes evident as various techniques from machine learning, computer vision, and security are combined to understand and address the vulnerabilities in FSL. As few-shot learning continues to gain traction, it is crucial to consider its security aspects and develop robust defense mechanisms against backdoor attacks to ensure the reliability and trustworthiness of this approach.
Read the original article