Defending Against Repetitive Backdoor Attacks on Semi-Supervised Learning through Lens of Rate-Distortion-Perception Trade-Off

Cheng-Yi Lee, Ching-Chia Kao, Cheng-Han Yeh, Chun-Shien Lu, Chia-Mu Yu, Chu-Song Chen; Proceedings of the Winter Conference on Applications of Computer Vision (WACV), 2025, pp. 6465-6474

Semi-supervised learning (SSL) has achieved remarkable performance with a small fraction of labeled data by leveraging vast amounts of unlabeled data from the Internet. However this large pool of untrusted data is extremely vulnerable to data poisoning leading to potential backdoor attacks. Current backdoor defenses are not yet effective against such a vulnerability in SSL. In this study we propose a novel method Unlabeled Data Purification (UPure) to disrupt the association between trigger patterns and target classes by introducing perturbations in the frequency domain. By leveraging the Rate-Distortion-Perception (RDP) trade-off we further identify the frequency band where the perturbations are added and justify this selection. Notably UPure purifies poisoned unlabeled data without the need of extra clean labeled data. Extensive experiments on four benchmark datasets and five SSL algorithms demonstrate that UPure effectively reduces the attack success rate from 99.78% to 0% while maintaining model accuracy. Code is available here: https://github.com/chengyi-chris/UPure.