Prompt as Triggers for Backdoor Attack: Examining the Vulnerability in Language Models
This addresses a security problem for users of NLP models by exposing a stealthy vulnerability in prompt-based learning, though it is incremental as it builds on existing backdoor attack methods.
The paper tackles the vulnerability of prompt-based learning in language models to backdoor attacks by proposing ProAttack, a method that uses the prompt itself as a trigger for clean-label attacks, achieving state-of-the-art attack success rates in rich-resource settings without external triggers.
The prompt-based learning paradigm, which bridges the gap between pre-training and fine-tuning, achieves state-of-the-art performance on several NLP tasks, particularly in few-shot settings. Despite being widely applied, prompt-based learning is vulnerable to backdoor attacks. Textual backdoor attacks are designed to introduce targeted vulnerabilities into models by poisoning a subset of training samples through trigger injection and label modification. However, they suffer from flaws such as abnormal natural language expressions resulting from the trigger and incorrect labeling of poisoned samples. In this study, we propose ProAttack, a novel and efficient method for performing clean-label backdoor attacks based on the prompt, which uses the prompt itself as a trigger. Our method does not require external triggers and ensures correct labeling of poisoned samples, improving the stealthy nature of the backdoor attack. With extensive experiments on rich-resource and few-shot text classification tasks, we empirically validate ProAttack's competitive performance in textual backdoor attacks. Notably, in the rich-resource setting, ProAttack achieves state-of-the-art attack success rates in the clean-label backdoor attack benchmark without external triggers.