Imperio: Language-Guided Backdoor Attacks for Arbitrary Model Control
This work addresses security threats in NLP systems by introducing a novel backdoor attack method, which is incremental in leveraging language understanding for enhanced model control.
The paper tackles the problem of backdoor vulnerabilities in NLP models by proposing Imperio, a language-guided backdoor attack that manipulates victim models with arbitrary outputs through text instructions, achieving high success rates across datasets without compromising clean input accuracy.
Natural language processing (NLP) has received unprecedented attention. While advancements in NLP models have led to extensive research into their backdoor vulnerabilities, the potential for these advancements to introduce new backdoor threats remains unexplored. This paper proposes Imperio, which harnesses the language understanding capabilities of NLP models to enrich backdoor attacks. Imperio provides a new model control experience. Demonstrated through controlling image classifiers, it empowers the adversary to manipulate the victim model with arbitrary output through language-guided instructions. This is achieved using a language model to fuel a conditional trigger generator, with optimizations designed to extend its language understanding capabilities to backdoor instruction interpretation and execution. Our experiments across three datasets, five attacks, and nine defenses confirm Imperio's effectiveness. It can produce contextually adaptive triggers from text descriptions and control the victim model with desired outputs, even in scenarios not encountered during training. The attack reaches a high success rate across complex datasets without compromising the accuracy of clean inputs and exhibits resilience against representative defenses.