Backdoor Learning on Sequence to Sequence Models
This work addresses a critical security problem for users of seq2seq models in NLP applications, revealing significant vulnerabilities with practical implications.
The paper investigates the vulnerability of sequence-to-sequence models to backdoor attacks, finding that injecting only 0.2% of dataset samples can cause models to generate designated keywords or sentences, achieving over 90% attack success rates in experiments on machine translation and text summarization.
Backdoor learning has become an emerging research area towards building a trustworthy machine learning system. While a lot of works have studied the hidden danger of backdoor attacks in image or text classification, there is a limited understanding of the model's robustness on backdoor attacks when the output space is infinite and discrete. In this paper, we study a much more challenging problem of testing whether sequence-to-sequence (seq2seq) models are vulnerable to backdoor attacks. Specifically, we find by only injecting 0.2\% samples of the dataset, we can cause the seq2seq model to generate the designated keyword and even the whole sentence. Furthermore, we utilize Byte Pair Encoding (BPE) to create multiple new triggers, which brings new challenges to backdoor detection since these backdoors are not static. Extensive experiments on machine translation and text summarization have been conducted to show our proposed methods could achieve over 90\% attack success rate on multiple datasets and models.