Go to DBLP homepageBackdooring Multimodal Learning
Abstract: Deep Neural Networks (DNNs) are vulnerable to backdoor attacks, which poison the training set to alter the model prediction over samples with a specific trigger. While existing efforts mainly focus on unimodal scenarios, modern AI systems usually employ multiple modalities to improve the model performance, making multimodal backdoor attacks more practical but structurally more complex due to inherent modality interactions, multiple attack surfaces, unbalanced modality contributions, etc. These factors affect the effectiveness of backdooring multimodal learning significantly but have not been fully investigated yet.To bridge this gap, we present the first data and computation efficient backdoor attacks towards multimodal learning. Our solution consists of two innovations. First, we propose a novel backdoor gradient-based score (BAGS), which can accurately quantify the contribution of each data sample to the backdoor learning at a very early training stage. Therefore, it can greatly save time and computational resources for the attacker. Second, we introduce a searching strategy with two attack modes to efficiently determine the optimal poisoning modalities and data samples.Our methodology leads to the following research outcomes. First, we comprehensively evaluate the proposed solution over state-of-the-art multimodal tasks, models, datasets and settings, to verify its effectiveness, efficiency and transferability. For instance, we only need to poison 0.005% of training samples to attack the Visual Question Answering task with the success rate of >96%. For the Audio Video Speech Recognition task, we poison 0.05% of samples to achieve the success rate of >93%. Second, we disclose several interesting findings during our experiments: (1) poisoning all modalities is not always better than individual ones, sometimes even making the attack worse; (2) modality competition and complementarity coexist in multimodal learning backdoor attacks; (3) A dominant modality in multimodal learning may not dominate the backdoor attacks. We hope this work will spur future research in improving the security of multimodal learning. Code is available at https://github.com/multimodalbags/BAGS_Multimodal.
Loading