Poison Attacks against Text Datasets with Conditional Adversarially Regularized Autoencoder
This reveals a critical security vulnerability in natural language inference and text classification systems for AI safety applications.
The paper demonstrates a backdoor poisoning attack on NLP models using a conditional adversarially regularized autoencoder (CARA) to generate poisoned training samples, showing that adding just 1% poisoned data can steer a victim BERT classifier's predictions to a target class with >80% success rate.
This paper demonstrates a fatal vulnerability in natural language inference (NLI) and text classification systems. More concretely, we present a 'backdoor poisoning' attack on NLP models. Our poisoning attack utilizes conditional adversarially regularized autoencoder (CARA) to generate poisoned training samples by poison injection in latent space. Just by adding 1% poisoned data, our experiments show that a victim BERT finetuned classifier's predictions can be steered to the poison target class with success rates of >80% when the input hypothesis is injected with the poison signature, demonstrating that NLI and text classification systems face a huge security risk.