This paper addresses the vulnerability of self-supervised learning (SSL) encoders to stealthy backdoor attacks. We propose a lightweight, clean-data-free, and fine-tuning-free detection method. Our approach introduces an auxiliary decoder to quantify semantic mapping anomalies induced by backdoor activation—specifically, via input-output reconstruction distortion—a novel metric first employed for this purpose. To enhance generalizability, we model cross-paradigm commonalities in backdoor features across contrastive learning and CLIP-style models, enabling effective training using out-of-distribution auxiliary data. Evaluated against state-of-the-art stealthy backdoor attacks, our method achieves significant performance gains, reliably identifying poisoned samples in both contrastive learning and CLIP-based models. It demonstrates strong robustness, broad applicability across SSL paradigms, and practical feasibility—requiring no access to clean data or model fine-tuning.

Self-supervised learning (SSL) is pervasively exploited in training high-quality upstream encoders with a large amount of unlabeled data. However, it is found to be susceptible to backdoor attacks merely via polluting a small portion of training data. The victim encoders associate triggered inputs with target embeddings, e.g., mapping a triggered cat image to an airplane embedding, such that the downstream tasks inherit unintended behaviors when the trigger is activated. Emerging backdoor attacks have shown great threats across different SSL paradigms such as contrastive learning and CLIP, yet limited research is devoted to defending against such attacks, and existing defenses fall short in detecting advanced stealthy backdoors. To address the limitations, we propose a novel detection mechanism, DeDe, which detects the activation of backdoor mappings caused by triggered inputs on victim encoders. Specifically, DeDe trains a decoder for any given SSL encoder using an auxiliary dataset (which can be out-of-distribution or even slightly poisoned), so that for any triggered input that misleads the encoder into the target embedding, the decoder generates an output image significantly different from the input. DeDe leverages the discrepancy between the input and the decoded output to identify potential backdoor misbehavior during inference. We empirically evaluate DeDe on both contrastive learning and CLIP models against various types of backdoor attacks. Our results demonstrate promising detection effectiveness over various advanced attacks and superior performance compared over state-of-the-art detection methods.