This work proposes Dynamic Stealthy Backdoor Attack (DSBA), a novel approach to address the vulnerability of self-supervised learning (SSL) models to backdoor attacks while overcoming limitations of existing methods—such as conspicuous triggers, entangled features, and anomalous poisoned sample distributions—that compromise stealth and effectiveness. DSBA employs a bilevel co-optimization framework that decouples the attack into outer-loop encoder optimization and inner-loop dynamic trigger generation, jointly achieving stealth in both feature and visual spaces. By integrating adaptive weight scheduling with a multi-objective loss function, DSBA significantly enhances attack success rates and resistance to detection without degrading downstream task performance. Extensive experiments across five datasets and multiple mainstream SSL algorithms demonstrate the superior attack efficacy and robustness of DSBA against current defense mechanisms.

Self-Supervised Learning (SSL) has emerged as a significant paradigm in representation learning thanks to its ability to learn without extensive labeled data, its strong generalization capabilities, and its potential for privacy preservation. However, recent research reveals that SSL models are also vulnerable to backdoor attacks. Existing backdoor attack methods in the SSL context commonly suffer from issues such as high detectability of triggers, feature entanglement, and pronounced out-of-distribution properties in poisoned samples, all of which compromises attack effectiveness and stealthiness. To that, we propose a Dynamic Stealthy Backdoor Attack (DSBA) backed by a new technique we term Collaborative Optimization. This method decouples the attack process into two collaborative optimization layers: the outer-layer optimization trains a backdoor encoder responsible for global feature space remodeling, aiming to achieve precise backdoor implantation while preserving core functionality; meanwhile, the inner-layer optimization employs a dynamically optimized generator to adaptively produce optimally concealed triggers for individual samples, achieving coordinated concealment across feature space and visual space. We also introduce multiple loss functions to dynamically balance attack performance and stealthiness, in which we employ an adaptive weight scheduling mechanism to enhance training stability. Extensive experiments on various mainstream SSL algorithms and five public datasets demonstrate that: (i) DSBA significantly enhances Attack Success Rate (ASR) and stealthiness while maintaining downstream task accuracy; and (ii) DSBA exhibits superior robustness against existing mainstream defense methods.