(2021) BadNL: Backdoor Attacks against NLP Models with Semantic-preserving Improvements.
|
Text
ACSAC21_Camera_ready.pdf Download (1MB) | Preview |
Abstract
Deep neural network (DNN) has progressed rapidly during the past decade and DNN models have been deployed in various real-world applications. Meanwhile, DNN models have been shown to be vulnerable to security and privacy attacks. One such attack that has attracted a great deal of attention recently is the backdoor attack. Specifically, the adversary poisons the target model's training set to mislead any input with an added secret trigger to a target class. In this paper, we perform a systematic investigation of the backdoor attack on NLP models, and propose BadNL, a general NLP backdoor attack framework including novel attack methods which are highly effective, preserve model utility, and guarantee stealthiness. Specifically, we propose three methods to construct triggers, namely BadChar, BadWord, and BadSentence, including basic and semantic-preserving variants. Our attacks achieve an almost perfect attack success rate with a negligible effect on the original model's utility. For instance, using the BadChar, our backdoor attack achieves a 98.9% attack success rate with yielding a utility improvement of 1.5% on the SST-5 dataset when only poisoning 3% of the original set.
| Item Type: | Conference or Workshop Item (A Paper) (Paper) |
|---|---|
| Conference: | ACSAC Annual Computer Security Applications Conference |
| Depositing User: | Ahmed Salem |
| Date Deposited: | 06 Dec 2021 12:48 |
| Last Modified: | 06 Dec 2021 12:48 |
| Primary Research Area: | NRA1: Trustworthy Information Processing |
| URI: | https://publications.cispa.saarland/id/eprint/3529 |
Actions
Actions (login required)
 |
View Item |