Defending Against Backdoor Attacks in Natural Language Generation
This work addresses a critical security vulnerability in NLG systems, such as machine translation and dialog generation, that could lead to harmful outputs, representing an incremental step in defense strategies for a domain-specific problem.
The paper tackles the problem of backdoor attacks in natural language generation systems, which can cause models to produce malicious outputs like sexist or offensive sequences, and finds that testing the backward probability of generating sources given targets provides effective defense, achieving strong performance across different attack types and handling one-to-many issues in tasks such as dialog generation.
The frustratingly fragile nature of neural network models make current natural language generation (NLG) systems prone to backdoor attacks and generate malicious sequences that could be sexist or offensive. Unfortunately, little effort has been invested to how backdoor attacks can affect current NLG models and how to defend against these attacks. In this work, by giving a formal definition of backdoor attack and defense, we investigate this problem on two important NLG tasks, machine translation and dialog generation. Tailored to the inherent nature of NLG models (e.g., producing a sequence of coherent words given contexts), we design defending strategies against attacks. We find that testing the backward probability of generating sources given targets yields effective defense performance against all different types of attacks, and is able to handle the {\it one-to-many} issue in many NLG tasks such as dialog generation. We hope that this work can raise the awareness of backdoor risks concealed in deep NLG systems and inspire more future work (both attack and defense) towards this direction.