Mitigating Backdoor Poisoning Attacks through the Lens of Spurious Correlation
This addresses security vulnerabilities in NLP models trained on untrusted data, offering a practical defense against backdoor attacks, though it is incremental as it builds on existing spurious correlation mitigation techniques.
The paper tackles the problem of backdoor poisoning attacks in NLP models by identifying that malicious triggers exhibit spurious correlations with target labels, and proposes a defense method that filters out problematic instances based on these correlations. The result is a significant reduction in attack success rates, with near-perfect defense against insertion-based attacks.
Modern NLP models are often trained over large untrusted datasets, raising the potential for a malicious adversary to compromise model behaviour. For instance, backdoors can be implanted through crafting training instances with a specific textual trigger and a target label. This paper posits that backdoor poisoning attacks exhibit \emph{spurious correlation} between simple text features and classification labels, and accordingly, proposes methods for mitigating spurious correlation as means of defence. Our empirical study reveals that the malicious triggers are highly correlated to their target labels; therefore such correlations are extremely distinguishable compared to those scores of benign features, and can be used to filter out potentially problematic instances. Compared with several existing defences, our defence method significantly reduces attack success rates across backdoor attacks, and in the case of insertion-based attacks, our method provides a near-perfect defence.