Backdoor Attack against NLP models with Robustness-Aware Perturbation defense
This work addresses security vulnerabilities in NLP models for users relying on third-party data or models, but it is incremental as it focuses on defeating a specific existing defense.
The paper tackles the problem of backdoor attacks on NLP models by breaking a robustness-aware perturbation defense, achieving this by controlling the robustness gap between poisoned and clean samples through adversarial training.
Backdoor attack intends to embed hidden backdoor into deep neural networks (DNNs), such that the attacked model performs well on benign samples, whereas its prediction will be maliciously changed if the hidden backdoor is activated by the attacker defined trigger. This threat could happen when the training process is not fully controlled, such as training on third-party data-sets or adopting third-party models. There has been a lot of research and different methods to defend such type of backdoor attacks, one being robustness-aware perturbation-based defense method. This method mainly exploits big gap of robustness between poisoned and clean samples. In our work, we break this defense by controlling the robustness gap between poisoned and clean samples using adversarial training step.