Backdoor Attacks with Input-Unique Triggers in NLP

Abstract

Backdoor attack aims to induce neural models to make incorrect predictions for poison data while keeping predictions on the clean dataset unchanged, which creates a considerable threat to current natural language processing (NLP) systems. Existing backdoor attacking systems face two severe issues: firstly, most backdoor triggers follow a uniform and usually input-independent pattern, e.g., insertion of specific trigger words. This significantly hinders the stealthiness of the attacking model, leading to the trained backdoor model being easily identified as malicious by model probes. Secondly, trigger-inserted poisoned sentences are usually disfluent, ungrammatical, or even change the semantic meaning from the original sentence. To resolve these two issues, we propose a method named NURA, where we generate backdoor triggers unique to inputs. NURA generates context-related triggers by continuing to write the input with a language model like GPT2 [ 2 ]. The generated sentence is used as the backdoor trigger. This strategy not only creates input-unique backdoor triggers but also preserves the semantics of the original input, simultaneously resolving the two issues above. Experimental results show that the NURA attack is effective for attack and difficult to defend against: it achieves a high attack success rate across all the widely applied benchmarks while being immune to existing defense methods.