Triggerless Backdoor Attack for NLP Tasks with Clean Labels

Gan, L; Li, J; Zhang, T; Li, X; Meng, Y; Wu, F; Yang, Y; Guo, S; Fan, C

Triggerless Backdoor Attack for NLP Tasks with Clean Labels

Gan, L Li, J Zhang, T Li, X Meng, Y Wu, F Yang, Y

Guo, S Fan, C

Permalink

Publisher:: ASSOC COMPUTATIONAL LINGUISTICS-ACL
Publication Type:: Conference Proceeding
Citation:: NAACL 2022 - 2022 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Proceedings of the Conference, 2022, pp. 2942-2952
Issue Date:: 2022-01-01

Closed Access

	Filename	Description	Size
	Triggerless Backdoor Attack for NLP Tasks with Clean Labels.pdf	Published version	442.89 kB	Adobe PDF	View/Open

Copyright Clearance Process

Recently Added
In Progress
Closed Access

This item is closed access and not available.

Full metadata record

Field	Value	Language
dc.contributor.author	Gan, L
dc.contributor.author	Li, J
dc.contributor.author	Zhang, T
dc.contributor.author	Li, X
dc.contributor.author	Meng, Y
dc.contributor.author	Wu, F
dc.contributor.author	Yang, Y https://orcid.org/0000-0002-0512-880X
dc.contributor.author	Guo, S
dc.contributor.author	Fan, C
dc.date	2022-07-10
dc.date.accessioned	2023-04-18T03:31:42Z
dc.date.available	2023-04-18T03:31:42Z
dc.date.issued	2022-01-01
dc.identifier.citation	NAACL 2022 - 2022 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Proceedings of the Conference, 2022, pp. 2942-2952
dc.identifier.isbn	9781955917711
dc.identifier.uri	http://hdl.handle.net/10453/169915
dc.description.abstract	Backdoor attacks pose a new threat to NLP models. A standard strategy to construct poisoned data in backdoor attacks is to insert triggers (e.g., rare words) into selected sentences and alter the original label to a target label. This strategy comes with a severe flaw of being easily detected from both the trigger and the label perspectives: the trigger injected, which is usually a rare word, leads to an abnormal natural language expression, and thus can be easily detected by a defense model; the changed target label leads the example to be mistakenly labeled, and thus can be easily detected by manual inspections. To deal with this issue, in this paper, we propose a new strategy to perform textual backdoor attack which does not require an external trigger and the poisoned samples are correctly labeled. The core idea of the proposed strategy is to construct clean-labeled examples, whose labels are correct but can lead to test label changes when fused with the training set. To generate poisoned clean-labeled examples, we propose a sentence generation model based on the genetic algorithm to cater to the non-differentiable characteristic of text data. Extensive experiments demonstrate that the proposed attacking strategy is not only effective, but more importantly, hard to defend due to its triggerless and clean-labeled nature. Our work marks the first step towards developing triggerless attacking strategies in NLP.
dc.language	en
dc.publisher	ASSOC COMPUTATIONAL LINGUISTICS-ACL
dc.relation.ispartof	NAACL 2022 - 2022 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies, Proceedings of the Conference
dc.relation.ispartof	Conference of the North-American-Chapter-of-the-Association-for-Computational-Linguistics (NAAACL) - Human Language Technologies
dc.rights	info:eu-repo/semantics/closedAccess
dc.title	Triggerless Backdoor Attack for NLP Tasks with Clean Labels
dc.type	Conference Proceeding
utslib.location.activity	Seattle, WA
pubs.organisational-group	/University of Technology Sydney
pubs.organisational-group	/University of Technology Sydney/Faculty of Engineering and Information Technology
utslib.copyright.status	closed_access	*
dc.date.updated	2023-04-18T03:31:41Z
pubs.finish-date	2022-07-15
pubs.publication-status	Published
pubs.start-date	2022-07-10

Abstract:

Backdoor attacks pose a new threat to NLP models. A standard strategy to construct poisoned data in backdoor attacks is to insert triggers (e.g., rare words) into selected sentences and alter the original label to a target label. This strategy comes with a severe flaw of being easily detected from both the trigger and the label perspectives: the trigger injected, which is usually a rare word, leads to an abnormal natural language expression, and thus can be easily detected by a defense model; the changed target label leads the example to be mistakenly labeled, and thus can be easily detected by manual inspections. To deal with this issue, in this paper, we propose a new strategy to perform textual backdoor attack which does not require an external trigger and the poisoned samples are correctly labeled. The core idea of the proposed strategy is to construct clean-labeled examples, whose labels are correct but can lead to test label changes when fused with the training set. To generate poisoned clean-labeled examples, we propose a sentence generation model based on the genetic algorithm to cater to the non-differentiable characteristic of text data. Extensive experiments demonstrate that the proposed attacking strategy is not only effective, but more importantly, hard to defend due to its triggerless and clean-labeled nature. Our work marks the first step towards developing triggerless attacking strategies in NLP.

Please use this identifier to cite or link to this item:

http://hdl.handle.net/10453/169915