Training-free Lexical Backdoor Attacks on language models

Yujin Huang; Terry Yue Zhuo; Qiongkai Xu; Han Hu; Xingliang Yuan; Chunyang Chen

doi:10.1145/3543507.3583348

Training-free Lexical Backdoor Attacks on language models

Yujin Huang, Terry Yue Zhuo, Qiongkai Xu^*, Han Hu, Xingliang Yuan^*, Chunyang Chen

^*Corresponding author for this work

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

23 Citations (Scopus)

Abstract

Large-scale language models have achieved tremendous success across various natural language processing (NLP) applications. Nevertheless, language models are vulnerable to backdoor attacks, which inject stealthy triggers into models for steering them to undesirable behaviors. Most existing backdoor attacks, such as data poisoning, require further (re)training or fine-tuning language models to learn the intended backdoor patterns. The additional training process however diminishes the stealthiness of the attacks, as training a language model usually requires long optimization time, a massive amount of data, and considerable modifications to the model parameters.

In this work, we propose Training-Free Lexical Backdoor Attack (TFLexAttack) as the first training-free backdoor attack on language models. Our attack is achieved by injecting lexical triggers into the tokenizer of a language model via manipulating its embedding dictionary using carefully designed rules. These rules are explainable to human developers which inspires attacks from a wider range of hackers. The sparse manipulation of the dictionary also habilitates the stealthiness of our attack. We conduct extensive experiments on three dominant NLP tasks based on nine language models to demonstrate the effectiveness and universality of our attack. The code of this work is available at https://github.com/Jinxhy/TFLexAttack.

Original language	English
Title of host publication	The ACM Web Conference 2023
Subtitle of host publication	proceedings of the World Wide Web Conference WWW 2023
Place of Publication	New York
Publisher	Association for Computing Machinery, Inc
Pages	2198-2208
Number of pages	11
ISBN (Electronic)	9781450394161
DOIs	https://doi.org/10.1145/3543507.3583348
Publication status	Published - 2023
Externally published	Yes
Event	2023 World Wide Web Conference, WWW 2023 - Austin, United States Duration: 30 Apr 2023 → 4 May 2023

Conference

Conference	2023 World Wide Web Conference, WWW 2023
Country/Territory	United States
City	Austin
Period	30/04/23 → 4/05/23

Keywords

Backdoor Attack
Language Model
Lexical Modification
Tokenizer

Access to Document

10.1145/3543507.3583348

Cite this

@inproceedings{ca13520245824cba9cb1ced29d983331,

title = "Training-free Lexical Backdoor Attacks on language models",

abstract = "Large-scale language models have achieved tremendous success across various natural language processing (NLP) applications. Nevertheless, language models are vulnerable to backdoor attacks, which inject stealthy triggers into models for steering them to undesirable behaviors. Most existing backdoor attacks, such as data poisoning, require further (re)training or fine-tuning language models to learn the intended backdoor patterns. The additional training process however diminishes the stealthiness of the attacks, as training a language model usually requires long optimization time, a massive amount of data, and considerable modifications to the model parameters. In this work, we propose Training-Free Lexical Backdoor Attack (TFLexAttack) as the first training-free backdoor attack on language models. Our attack is achieved by injecting lexical triggers into the tokenizer of a language model via manipulating its embedding dictionary using carefully designed rules. These rules are explainable to human developers which inspires attacks from a wider range of hackers. The sparse manipulation of the dictionary also habilitates the stealthiness of our attack. We conduct extensive experiments on three dominant NLP tasks based on nine language models to demonstrate the effectiveness and universality of our attack. The code of this work is available at https://github.com/Jinxhy/TFLexAttack.",

keywords = "Backdoor Attack, Language Model, Lexical Modification, Tokenizer",

author = "Yujin Huang and Zhuo, {Terry Yue} and Qiongkai Xu and Han Hu and Xingliang Yuan and Chunyang Chen",

year = "2023",

doi = "10.1145/3543507.3583348",

language = "English",

pages = "2198--2208",

booktitle = "The ACM Web Conference 2023",

publisher = "Association for Computing Machinery, Inc",

note = "2023 World Wide Web Conference, WWW 2023 ; Conference date: 30-04-2023 Through 04-05-2023",

}

Huang, Y, Zhuo, TY, Xu, Q, Hu, H, Yuan, X & Chen, C 2023, Training-free Lexical Backdoor Attacks on language models. in The ACM Web Conference 2023: proceedings of the World Wide Web Conference WWW 2023. Association for Computing Machinery, Inc, New York, pp. 2198-2208, 2023 World Wide Web Conference, WWW 2023, Austin, Texas, United States, 30/04/23. https://doi.org/10.1145/3543507.3583348

Training-free Lexical Backdoor Attacks on language models. / Huang, Yujin; Zhuo, Terry Yue; Xu, Qiongkai et al.
The ACM Web Conference 2023: proceedings of the World Wide Web Conference WWW 2023. New York: Association for Computing Machinery, Inc, 2023. p. 2198-2208.

Research output: Chapter in Book/Report/Conference proceeding › Conference proceeding contribution › peer-review

TY - GEN

T1 - Training-free Lexical Backdoor Attacks on language models

AU - Huang, Yujin

AU - Zhuo, Terry Yue

AU - Xu, Qiongkai

AU - Hu, Han

AU - Yuan, Xingliang

AU - Chen, Chunyang

PY - 2023

Y1 - 2023

N2 - Large-scale language models have achieved tremendous success across various natural language processing (NLP) applications. Nevertheless, language models are vulnerable to backdoor attacks, which inject stealthy triggers into models for steering them to undesirable behaviors. Most existing backdoor attacks, such as data poisoning, require further (re)training or fine-tuning language models to learn the intended backdoor patterns. The additional training process however diminishes the stealthiness of the attacks, as training a language model usually requires long optimization time, a massive amount of data, and considerable modifications to the model parameters. In this work, we propose Training-Free Lexical Backdoor Attack (TFLexAttack) as the first training-free backdoor attack on language models. Our attack is achieved by injecting lexical triggers into the tokenizer of a language model via manipulating its embedding dictionary using carefully designed rules. These rules are explainable to human developers which inspires attacks from a wider range of hackers. The sparse manipulation of the dictionary also habilitates the stealthiness of our attack. We conduct extensive experiments on three dominant NLP tasks based on nine language models to demonstrate the effectiveness and universality of our attack. The code of this work is available at https://github.com/Jinxhy/TFLexAttack.

AB - Large-scale language models have achieved tremendous success across various natural language processing (NLP) applications. Nevertheless, language models are vulnerable to backdoor attacks, which inject stealthy triggers into models for steering them to undesirable behaviors. Most existing backdoor attacks, such as data poisoning, require further (re)training or fine-tuning language models to learn the intended backdoor patterns. The additional training process however diminishes the stealthiness of the attacks, as training a language model usually requires long optimization time, a massive amount of data, and considerable modifications to the model parameters. In this work, we propose Training-Free Lexical Backdoor Attack (TFLexAttack) as the first training-free backdoor attack on language models. Our attack is achieved by injecting lexical triggers into the tokenizer of a language model via manipulating its embedding dictionary using carefully designed rules. These rules are explainable to human developers which inspires attacks from a wider range of hackers. The sparse manipulation of the dictionary also habilitates the stealthiness of our attack. We conduct extensive experiments on three dominant NLP tasks based on nine language models to demonstrate the effectiveness and universality of our attack. The code of this work is available at https://github.com/Jinxhy/TFLexAttack.

KW - Backdoor Attack

KW - Language Model

KW - Lexical Modification

KW - Tokenizer

UR - http://www.scopus.com/inward/record.url?scp=85159300457&partnerID=8YFLogxK

U2 - 10.1145/3543507.3583348

DO - 10.1145/3543507.3583348

M3 - Conference proceeding contribution

SP - 2198

EP - 2208

BT - The ACM Web Conference 2023

PB - Association for Computing Machinery, Inc

CY - New York

T2 - 2023 World Wide Web Conference, WWW 2023

Y2 - 30 April 2023 through 4 May 2023

ER -

Training-free Lexical Backdoor Attacks on language models

Abstract

Conference

Keywords

Access to Document

Other files and links

Fingerprint

Cite this