| Challenge: | Existing attacks disregard fluency and semantic fidelity of poisoned text, rendering it easily detectable. |
| Approach: | They propose to use AI-generated poisoned text to attack NLP models by establishing covert associations between trigger patterns and target labels without affecting normal accuracy. |
| Outcome: | The proposed method achieves effective attacks while maintaining fluency and semantic similarity across all scenarios. |
Similar Papers
Triggerless Backdoor Attack for NLP Tasks with Clean Labels (2022.naacl-main)
Copied to clipboard
Leilei Gan, Jiwei Li, Tianwei Zhang, Xiaoya Li, Yuxian Meng, Fei Wu, Yi Yang, Shangwei Guo, Chun Fan
| Challenge: | Backdoor attacks are a new threat to neural natural language processing models due to the fragility and lack of interpretability of NLP models. |
| Approach: | They propose a method to perform backdoor attacks without an external trigger . they propose to use clean-labeled examples to generate poisoned clean-labelled examples . |
| Outcome: | The proposed strategy is effective and hard to defend due to its triggerless nature. |
Be Careful about Poisoned Word Embeddings: Exploring the Vulnerability of the Embedding Layers in NLP Models (2021.naacl-main)
Copied to clipboard
| Challenge: | Recent studies reveal a security threat to natural language processing models, called the Backdoor Attack. |
| Approach: | They propose to hack a model by modifying one single word embedding vector without sacrificing accuracy on clean samples. |
| Outcome: | The proposed method is more efficient and stealthier on sentiment analysis and sentence-pair classification tasks. |
Expose Backdoors on the Way: A Feature-Based Efficient Defense against Textual Backdoor Attacks (2022.findings-emnlp)
Copied to clipboard
| Challenge: | Existing online backdoor defense methods for NLP models focus on anomalies at input or output level, causing fragility to adaptive attacks and high computational cost. |
| Approach: | They propose a feature-based online defense method to detect poisoned samples . they use a distance-based anomaly score to distinguish poisones from clean samples based on feature-level regularization . |
| Outcome: | The proposed method outperforms existing methods in sentiment analysis and offense detection tasks. |
Large Language Models Are Better Adversaries: Exploring Generative Clean-Label Backdoor Attacks Against Text Classifiers (2023.findings-emnlp)
Copied to clipboard
| Challenge: | Backdoor attacks manipulate model predictions by inserting malicious "poison" instances that contain a specific pattern or "trigger." |
| Approach: | They propose an attack that inserts style-based triggers into training and test data by using a poison selection technique to improve the effectiveness of both LLMBkd and existing backdoor attacks. |
| Outcome: | The proposed attack achieves high success rates across a wide range of styles with little effort and no model training. |
BITE: Textual Backdoor Attacks with Iterative Trigger Injection (2023.acl-long)
Copied to clipboard
| Challenge: | Existing methods to defend against backdoor attacks are based on model stealing, model thieving and training data extraction attacks. |
| Approach: | They propose a backdoor attack that poisons training data to establish strong correlations between the target label and a set of “trigger words” These trigger words are iteratively identified and injected into the target-label instances through natural word-level perturbations. |
| Outcome: | The proposed attack is significantly more effective than baseline methods while maintaining decent stealthiness, raising alarm on the usage of untrusted training data. |
When Backdoors Speak: Understanding LLM Backdoor Attacks Through Model-Generated Explanations (2025.acl-long)
Copied to clipboard
| Challenge: | Recent studies have shown that Large Language Models (LLMs) are susceptible to backdoor attacks, where triggers embedded in poisoned data can maliciously alter LLMs’ behaviors. |
| Approach: | They propose to leverage LLMs' generative capabilities to generate human-readable explanations for their decisions, enabling direct comparisons between explanations of clean and poisoned data. |
| Outcome: | The proposed model produces coherent explanations for clean inputs but logically flawed explanations on poisoned data. |
Mitigating Backdoor Poisoning Attacks through the Lens of Spurious Correlation (2023.emnlp-main)
Copied to clipboard
| Challenge: | Modern NLP models are often trained over large untrustworthy datasets, raising the potential for a malicious adversary to compromise model behaviour. |
| Approach: | They propose to mitigate spurious correlations between textual triggers and classification labels by combining them with insertion-based attacks. |
| Outcome: | The proposed defence significantly reduces attack success rates across backdoor attacks and provides a near-perfect defence against insertion-based attacks. |
Rethinking Stealthiness of Backdoor Attack against NLP Models (2021.acl-long)
Copied to clipboard
| Challenge: | Existing backdoor attacks are not stealthy to system deployers or users. |
| Approach: | They propose a novel backdoor attack method based on negative data augmentation and modifying word embeddings that is much stealthier while maintaining pretty good attacking performance. |
| Outcome: | The proposed method is much stealthier while maintaining pretty good attacking performance. |
Universal Vulnerabilities in Large Language Models: Backdoor Attacks for In-context Learning (2024.emnlp-main)
Copied to clipboard
| Challenge: | In-context learning has shown high efficacy in several NLP tasks, especially in few-shot settings. |
| Approach: | They propose a backdoor attack method that poisons demonstration examples and poisons the demonstration context, preserving the model's generality. |
| Outcome: | The proposed method can make models behave in alignment with predefined intentions without fine-tuning the model. |
Where to Attack: A Dynamic Locator Model for Backdoor Attack in Text Classifications (2022.coling-1)
Copied to clipboard
| Challenge: | BackDoor Attack (BDA) study aims to train a poisoned model with clean data and some trigger-embedded instances to perform normally on normal inputs. |
| Approach: | They propose to train a poisoned model with clean and poisonest inputs . they propose to use triggers to predict those poisonets as target labels . |
| Outcome: | The proposed model can predict P2P dynamically without human intervention. |