Backdoor Token Unlearning: Exposing and Defending Backdoors in Pretrained Language Models
This addresses a critical security problem for users of fine-tuned language models, offering a proactive defense against backdoor attacks, though it is incremental as it builds on existing insights about token parameters.
The paper tackles the vulnerability of pretrained language models to backdoor attacks during fine-tuning by proposing Backdoor Token Unlearning (BTU), a method that detects and neutralizes trigger tokens in the training stage, effectively defending against various attacks while maintaining model performance.
Supervised fine-tuning has become the predominant method for adapting large pretrained models to downstream tasks. However, recent studies have revealed that these models are vulnerable to backdoor attacks, where even a small number of malicious samples can successfully embed backdoor triggers into the model. While most existing defense methods focus on post-training backdoor defense, efficiently defending against backdoor attacks during training phase remains largely unexplored. To address this gap, we propose a novel defense method called Backdoor Token Unlearning (BTU), which proactively detects and neutralizes trigger tokens during the training stage. Our work is based on two key findings: 1) backdoor learning causes distinctive differences between backdoor token parameters and clean token parameters in word embedding layers, and 2) the success of backdoor attacks heavily depends on backdoor token parameters. The BTU defense leverages these properties to identify aberrant embedding parameters and subsequently removes backdoor behaviors using a fine-grained unlearning technique. Extensive evaluations across three datasets and four types of backdoor attacks demonstrate that BTU effectively defends against these threats while preserving the model's performance on primary tasks. Our code is available at https://github.com/XDJPH/BTU.