Mitigating backdoor attacks in LSTM-based Text Classification Systems by Backdoor Keyword Identification
This addresses a security problem for text classification systems by mitigating backdoor attacks, which is an incremental improvement as it adapts defense methods from computer vision to RNNs in text.
The paper tackles backdoor attacks in LSTM-based text classification systems by proposing a defense method called Backdoor Keyword Identification (BKI), which identifies and excludes poisoning samples from training data, achieving good performance across four datasets (IMDB, DBpedia ontology, 20 newsgroups, and Reuters-21578).
It has been proved that deep neural networks are facing a new threat called backdoor attacks, where the adversary can inject backdoors into the neural network model through poisoning the training dataset. When the input containing some special pattern called the backdoor trigger, the model with backdoor will carry out malicious task such as misclassification specified by adversaries. In text classification systems, backdoors inserted in the models can cause spam or malicious speech to escape detection. Previous work mainly focused on the defense of backdoor attacks in computer vision, little attention has been paid to defense method for RNN backdoor attacks regarding text classification. In this paper, through analyzing the changes in inner LSTM neurons, we proposed a defense method called Backdoor Keyword Identification (BKI) to mitigate backdoor attacks which the adversary performs against LSTM-based text classification by data poisoning. This method can identify and exclude poisoning samples crafted to insert backdoor into the model from training data without a verified and trusted dataset. We evaluate our method on four different text classification datset: IMDB, DBpedia ontology, 20 newsgroups and Reuters-21578 dataset. It all achieves good performance regardless of the trigger sentences.