Strategic Sample Selection for Improved Clean-Label Backdoor Attacks in Text Classification
This work addresses a security vulnerability in NLP models for applications like sentiment analysis and hate speech detection, representing an incremental improvement over existing clean-label attacks.
The paper tackled the challenge of improving clean-label backdoor attacks in text classification by proposing three sample selection strategies (Minimum, Above50, Below50) that target incorrectly or low-confidence predicted samples, resulting in significantly higher attack success rates with minimal impact on clean accuracy, often outperforming a state-of-the-art method.
Backdoor attacks pose a significant threat to the integrity of text classification models used in natural language processing. While several dirty-label attacks that achieve high attack success rates (ASR) have been proposed, clean-label attacks are inherently more difficult. In this paper, we propose three sample selection strategies to improve attack effectiveness in clean-label scenarios: Minimum, Above50, and Below50. Our strategies identify those samples which the model predicts incorrectly or with low confidence, and by injecting backdoor triggers into such samples, we aim to induce a stronger association between the trigger patterns and the attacker-desired target label. We apply our methods to clean-label variants of four canonical backdoor attacks (InsertSent, WordInj, StyleBkd, SynBkd) and evaluate them on three datasets (IMDB, SST2, HateSpeech) and four model types (LSTM, BERT, DistilBERT, RoBERTa). Results show that the proposed strategies, particularly the Minimum strategy, significantly improve the ASR over random sample selection with little or no degradation in the model's clean accuracy. Furthermore, clean-label attacks enhanced by our strategies outperform BITE, a state of the art clean-label attack method, in many configurations.