Backdoor Learning on Sequence to Sequence Models
Lichang Chen, Minhao Cheng, Heng Huang
TL;DR
This work reveals that sequence-to-sequence models for translation and summarization are vulnerable to backdoor attacks even with minuscule poisoning (as low as 0.2%). It introduces name-substitution and BPE-based subword triggers to create dynamic backdoors, with two output-target modalities: keyword insertion and exact sentence generation. Through extensive MT/TS experiments, it achieves high attack success rates while preserving quality on clean inputs, and demonstrates evasion of state-of-the-art defenses like ONION. The findings highlight real-world security risks in seq2seq pipelines and underscore the urgent need for robust defenses against backdoors in open-ended NLP outputs.
Abstract
Backdoor learning has become an emerging research area towards building a trustworthy machine learning system. While a lot of works have studied the hidden danger of backdoor attacks in image or text classification, there is a limited understanding of the model's robustness on backdoor attacks when the output space is infinite and discrete. In this paper, we study a much more challenging problem of testing whether sequence-to-sequence (seq2seq) models are vulnerable to backdoor attacks. Specifically, we find by only injecting 0.2\% samples of the dataset, we can cause the seq2seq model to generate the designated keyword and even the whole sentence. Furthermore, we utilize Byte Pair Encoding (BPE) to create multiple new triggers, which brings new challenges to backdoor detection since these backdoors are not static. Extensive experiments on machine translation and text summarization have been conducted to show our proposed methods could achieve over 90\% attack success rate on multiple datasets and models.