Training-free Lexical Backdoor Attacks on language models

Yujin Huang; Terry Yue Zhuo; Qiongkai Xu; Han Hu; Xingliang Yuan; Chunyang Chen

doi:10.1145/3543507.3583348

Training-free Lexical Backdoor Attacks on language models

Yujin Huang, Terry Yue Zhuo, Qiongkai Xu, Han Hu, Xingliang Yuan, Chunyang Chen

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

28 Citations (Scopus)

Abstract

Large-scale language models have achieved tremendous success across various natural language processing (NLP) applications. Nevertheless, language models are vulnerable to backdoor attacks, which inject stealthy triggers into models for steering them to undesirable behaviors. Most existing backdoor attacks, such as data poisoning, require further (re)training or fine-tuning language models to learn the intended backdoor patterns. The additional training process however diminishes the stealthiness of the attacks, as training a language model usually requires long optimization time, a massive amount of data, and considerable modifications to the model parameters. In this work, we propose Training-Free Lexical Backdoor Attack (TFLexAttack) as the first training-free backdoor attack on language models. Our attack is achieved by injecting lexical triggers into the tokenizer of a language model via manipulating its embedding dictionary using carefully designed rules. These rules are explainable to human developers which inspires attacks from a wider range of hackers. The sparse manipulation of the dictionary also habilitates the stealthiness of our attack. We conduct extensive experiments on three dominant NLP tasks based on nine language models to demonstrate the effectiveness and universality of our attack. The code of this work is available at https://github.com/Jinxhy/TFLexAttack.

Original language	English
Title of host publication	Proceedings of The World Wide Web Conference WWW 2023
Editors	Lora Aroyo, Carlos Castillo, Geert-Jan Houben
Place of Publication	New York NY USA
Publisher	Association for Computing Machinery (ACM)
Pages	2198-2208
Number of pages	11
ISBN (Electronic)	9781450394161
DOIs	https://doi.org/10.1145/3543507.3583348
Publication status	Published - 2023
Event	International World Wide Web Conference 2023 - Austin, United States of America Duration: 30 Apr 2023 → 4 May 2023 https://dl.acm.org/doi/proceedings/10.1145/3543507 (Proceedings) https://www2023.thewebconf.org/ (Website)

Conference

Conference	International World Wide Web Conference 2023
Abbreviated title	WWW 2023
Country/Territory	United States of America
City	Austin
Period	30/04/23 → 4/05/23
Internet address	https://dl.acm.org/doi/proceedings/10.1145/3543507 (Proceedings) https://www2023.thewebconf.org/ (Website)

Keywords

Backdoor Attack
Language Model
Lexical Modification
Tokenizer

Access to Document

10.1145/3543507.3583348

Cite this

@inproceedings{c1ba4ac8972b4e279be7d6c539175672,

title = "Training-free Lexical Backdoor Attacks on language models",

abstract = "Large-scale language models have achieved tremendous success across various natural language processing (NLP) applications. Nevertheless, language models are vulnerable to backdoor attacks, which inject stealthy triggers into models for steering them to undesirable behaviors. Most existing backdoor attacks, such as data poisoning, require further (re)training or fine-tuning language models to learn the intended backdoor patterns. The additional training process however diminishes the stealthiness of the attacks, as training a language model usually requires long optimization time, a massive amount of data, and considerable modifications to the model parameters. In this work, we propose Training-Free Lexical Backdoor Attack (TFLexAttack) as the first training-free backdoor attack on language models. Our attack is achieved by injecting lexical triggers into the tokenizer of a language model via manipulating its embedding dictionary using carefully designed rules. These rules are explainable to human developers which inspires attacks from a wider range of hackers. The sparse manipulation of the dictionary also habilitates the stealthiness of our attack. We conduct extensive experiments on three dominant NLP tasks based on nine language models to demonstrate the effectiveness and universality of our attack. The code of this work is available at https://github.com/Jinxhy/TFLexAttack.",

keywords = "Backdoor Attack, Language Model, Lexical Modification, Tokenizer",

author = "Yujin Huang and Zhuo, \{Terry Yue\} and Qiongkai Xu and Han Hu and Xingliang Yuan and Chunyang Chen",

note = "Funding Information: We thank Trevor Cohn for insightful discussion and feedback when forming the idea of this work. Publisher Copyright: {\textcopyright} 2023 ACM.; International World Wide Web Conference 2023, WWW 2023 ; Conference date: 30-04-2023 Through 04-05-2023",

year = "2023",

doi = "10.1145/3543507.3583348",

language = "English",

pages = "2198--2208",

editor = "Lora Aroyo and Carlos Castillo and Geert-Jan Houben",

booktitle = "Proceedings of The World Wide Web Conference WWW 2023",

publisher = "Association for Computing Machinery (ACM)",

address = "United States of America",

url = "https://dl.acm.org/doi/proceedings/10.1145/3543507, https://www2023.thewebconf.org/",

}

Huang, Y, Zhuo, TY, Xu, Q, Hu, H, Yuan, X & Chen, C 2023, Training-free Lexical Backdoor Attacks on language models. in L Aroyo, C Castillo & G-J Houben (eds), Proceedings of The World Wide Web Conference WWW 2023. Association for Computing Machinery (ACM), New York NY USA, pp. 2198-2208, International World Wide Web Conference 2023, Austin, Texas, United States of America, 30/04/23. https://doi.org/10.1145/3543507.3583348

Training-free Lexical Backdoor Attacks on language models. / Huang, Yujin; Zhuo, Terry Yue; Xu, Qiongkai et al.
Proceedings of The World Wide Web Conference WWW 2023. ed. / Lora Aroyo; Carlos Castillo; Geert-Jan Houben. New York NY USA: Association for Computing Machinery (ACM), 2023. p. 2198-2208.

Research output: Chapter in Book/Report/Conference proceeding › Conference Paper › Research › peer-review

TY - GEN

T1 - Training-free Lexical Backdoor Attacks on language models

AU - Huang, Yujin

AU - Zhuo, Terry Yue

AU - Xu, Qiongkai

AU - Hu, Han

AU - Yuan, Xingliang

AU - Chen, Chunyang

PY - 2023

Y1 - 2023

N2 - Large-scale language models have achieved tremendous success across various natural language processing (NLP) applications. Nevertheless, language models are vulnerable to backdoor attacks, which inject stealthy triggers into models for steering them to undesirable behaviors. Most existing backdoor attacks, such as data poisoning, require further (re)training or fine-tuning language models to learn the intended backdoor patterns. The additional training process however diminishes the stealthiness of the attacks, as training a language model usually requires long optimization time, a massive amount of data, and considerable modifications to the model parameters. In this work, we propose Training-Free Lexical Backdoor Attack (TFLexAttack) as the first training-free backdoor attack on language models. Our attack is achieved by injecting lexical triggers into the tokenizer of a language model via manipulating its embedding dictionary using carefully designed rules. These rules are explainable to human developers which inspires attacks from a wider range of hackers. The sparse manipulation of the dictionary also habilitates the stealthiness of our attack. We conduct extensive experiments on three dominant NLP tasks based on nine language models to demonstrate the effectiveness and universality of our attack. The code of this work is available at https://github.com/Jinxhy/TFLexAttack.

AB - Large-scale language models have achieved tremendous success across various natural language processing (NLP) applications. Nevertheless, language models are vulnerable to backdoor attacks, which inject stealthy triggers into models for steering them to undesirable behaviors. Most existing backdoor attacks, such as data poisoning, require further (re)training or fine-tuning language models to learn the intended backdoor patterns. The additional training process however diminishes the stealthiness of the attacks, as training a language model usually requires long optimization time, a massive amount of data, and considerable modifications to the model parameters. In this work, we propose Training-Free Lexical Backdoor Attack (TFLexAttack) as the first training-free backdoor attack on language models. Our attack is achieved by injecting lexical triggers into the tokenizer of a language model via manipulating its embedding dictionary using carefully designed rules. These rules are explainable to human developers which inspires attacks from a wider range of hackers. The sparse manipulation of the dictionary also habilitates the stealthiness of our attack. We conduct extensive experiments on three dominant NLP tasks based on nine language models to demonstrate the effectiveness and universality of our attack. The code of this work is available at https://github.com/Jinxhy/TFLexAttack.

KW - Backdoor Attack

KW - Language Model

KW - Lexical Modification

KW - Tokenizer

UR - https://www.scopus.com/pages/publications/85159300457

U2 - 10.1145/3543507.3583348

DO - 10.1145/3543507.3583348

M3 - Conference Paper

AN - SCOPUS:85159300457

SP - 2198

EP - 2208

BT - Proceedings of The World Wide Web Conference WWW 2023

A2 - Aroyo, Lora

A2 - Castillo, Carlos

A2 - Houben, Geert-Jan

PB - Association for Computing Machinery (ACM)

CY - New York NY USA

T2 - International World Wide Web Conference 2023

Y2 - 30 April 2023 through 4 May 2023

ER -

Training-free Lexical Backdoor Attacks on language models

Abstract

Conference

Keywords

Access to Document

Other files and links

Cite this