Large Language Models are Good Attackers: Efficient and Stealthy Textual Backdoor Attacks

TL;DR

This paper introduces the Efficient and Stealthy Textual backdoor attack method, EST-Bad, leveraging Large Language Models (LLMs), and demonstrates an efficient achievement of competitive attack performance while maintaining superior stealthiness compared to prior methods across various text classifier datasets.

Abstract

With the burgeoning advancements in the field of natural language processing (NLP), the demand for training data has increased significantly. To save costs, it has become common for users and businesses to outsource the labor-intensive task of data collection to third-party entities. Unfortunately, recent research has unveiled the inherent risk associated with this practice, particularly in exposing NLP systems to potential backdoor attacks. Specifically, these attacks enable malicious control over the behavior of a trained model by poisoning a small portion of the training data. Unlike backdoor attacks in computer vision, textual backdoor attacks impose stringent requirements for attack stealthiness. However, existing attack methods meet significant trade-off between effectiveness and stealthiness, largely due to the high information entropy inherent in textual data. In this paper, we introduce the Efficient and Stealthy Textual backdoor attack method, EST-Bad, leveraging Large Language Models (LLMs). Our EST-Bad encompasses three core strategies: optimizing the inherent flaw of models as the trigger, stealthily injecting triggers with LLMs, and meticulously selecting the most impactful samples for backdoor injection. Through the integration of these techniques, EST-Bad demonstrates an efficient achievement of competitive attack performance while maintaining superior stealthiness compared to prior methods across various text classifier datasets.

Figures (8)

• Figure 1: Poisoning set generation of our proposed EST-Bad. We generate the poisoning set in three steps: Trigger Word Optimization: optimizing the inherent flaw of models as the trigger, Stealthy Trigger Injection: injecting trigger stealthily with LLMs, and Important Sample Selection: selecting the most contributed samples to the backdoor injection.
• Figure 2: Visualizations of the similarity distribution and Attack Success Rate (ASR) using different sampling samples on SST-2 dataset. (a) and (b): the distribution of distance (in contrast to the cosine similarity) between clean and corresponding poisoned samples within the feature space of a pre-trained benign model showcasing the effects of poisoning using efficient samples employing the FUS-p selection strategy from zeng2023efficient ('Efficient') versus random selection ('Random') in Dirty-label and Clean-label settings, respectively; (c) and (d): the Attack Success Rate (ASR) of different sampling methods on Dirty-label and Clean-label settings, respectively. The methods include 'Random Sampling,' 'High-similarity Sampling' (sampling with the most high similarity between clean and corresponding poisoned samples), and 'Low-similarity Sampling' (sampling with the most low similarity between clean and corresponding poisoned samples).
• Figure 3: Attack success rate (ASR) of our EST-Bad and five baselines across a range of poisoning radio $\gamma$ on three datasets, under both dirty-label and clean-label settings.
• Figure 4: ASR of different triggers for (a): Dirty-label setting and (b): Clean-label setting on the SST-2 dataset. The poisoning ratios of different poisoned attacks for dirty-label setting and clean-label setting are $0.3\%$ and $3\%$, respectively.
• Figure 5: ASR of different sample selection strategies on the SST-2 dataset. The poisoning ratios of different poisoned attacks for dirty-label setting and clean-label setting are 0.3% and 3%, respectively.