Data-centric NLP Backdoor Defense from the Lens of Memorization
This addresses the trustworthiness issue in NLP models for users and developers, but is incremental as it builds on existing memorization concepts.
The paper tackles the problem of backdoor attacks in language models by identifying that duplicated sentence elements are necessary for such attacks, and proposes a data-centric defense method that detects trigger candidates and confirms real triggers, outperforming state-of-the-art defenses.
Backdoor attack is a severe threat to the trustworthiness of DNN-based language models. In this paper, we first extend the definition of memorization of language models from sample-wise to more fine-grained sentence element-wise (e.g., word, phrase, structure, and style), and then point out that language model backdoors are a type of element-wise memorization. Through further analysis, we find that the strength of such memorization is positively correlated to the frequency of duplicated elements in the training dataset. In conclusion, duplicated sentence elements are necessary for successful backdoor attacks. Based on this, we propose a data-centric defense. We first detect trigger candidates in training data by finding memorizable elements, i.e., duplicated elements, and then confirm real triggers by testing if the candidates can activate backdoor behaviors (i.e., malicious elements). Results show that our method outperforms state-of-the-art defenses in defending against different types of NLP backdoors.