Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

CodePurify: Defend Backdoor Attacks on Neural Code Models via Entropy-based Purification

Fangwen Mu, Junjie Wang, Zhuohao Yu, Lin Shi, Song Wang, Mingyang Li, Qing Wang

TL;DR

The results show that CodePurify significantly outperforms four commonly used defense baselines, improving average defense performance by at least 40%, 40%, and 12% across the three tasks, respectively, highlighting the potential of CodePurify to serve as a robust defense against backdoor attacks on neural code models.

Abstract

Neural code models have found widespread success in tasks pertaining to code intelligence, yet they are vulnerable to backdoor attacks, where an adversary can manipulate the victim model's behavior by inserting triggers into the source code. Recent studies indicate that advanced backdoor attacks can achieve nearly 100% attack success rates on many software engineering tasks. However, effective defense techniques against such attacks remain insufficiently explored. In this study, we propose CodePurify, a novel defense against backdoor attacks on code models through entropy-based purification. Entropy-based purification involves the process of precisely detecting and eliminating the possible triggers in the source code while preserving its semantic information. Within this process, CodePurify first develops a confidence-driven entropy-based measurement to determine whether a code snippet is poisoned and, if so, locates the triggers. Subsequently, it purifies the code by substituting the triggers with benign tokens using a masked language model. We extensively evaluate CodePurify against four advanced backdoor attacks across three representative tasks and two popular code models. The results show that CodePurify significantly outperforms four commonly used defense baselines, improving average defense performance by at least 40%, 40%, and 12% across the three tasks, respectively. These findings highlight the potential of CodePurify to serve as a robust defense against backdoor attacks on neural code models.

CodePurify: Defend Backdoor Attacks on Neural Code Models via Entropy-based Purification

TL;DR

The results show that CodePurify significantly outperforms four commonly used defense baselines, improving average defense performance by at least 40%, 40%, and 12% across the three tasks, respectively, highlighting the potential of CodePurify to serve as a robust defense against backdoor attacks on neural code models.

Abstract

Neural code models have found widespread success in tasks pertaining to code intelligence, yet they are vulnerable to backdoor attacks, where an adversary can manipulate the victim model's behavior by inserting triggers into the source code. Recent studies indicate that advanced backdoor attacks can achieve nearly 100% attack success rates on many software engineering tasks. However, effective defense techniques against such attacks remain insufficiently explored. In this study, we propose CodePurify, a novel defense against backdoor attacks on code models through entropy-based purification. Entropy-based purification involves the process of precisely detecting and eliminating the possible triggers in the source code while preserving its semantic information. Within this process, CodePurify first develops a confidence-driven entropy-based measurement to determine whether a code snippet is poisoned and, if so, locates the triggers. Subsequently, it purifies the code by substituting the triggers with benign tokens using a masked language model. We extensively evaluate CodePurify against four advanced backdoor attacks across three representative tasks and two popular code models. The results show that CodePurify significantly outperforms four commonly used defense baselines, improving average defense performance by at least 40%, 40%, and 12% across the three tasks, respectively. These findings highlight the potential of CodePurify to serve as a robust defense against backdoor attacks on neural code models.

Paper Structure

This paper contains 33 sections, 5 equations, 4 figures, 4 tables.

Table of Contents

  1. Introduction
  2. Threat Model and Motivation
  3. Threat Model and Defense Assumption
  4. Motivation
  5. Approach
  6. Poisoned Sample Detection and Trigger Localization
  7. Masked Code Generation
  8. Suspicion Score Calculation
  9. Entropy Analysis
  10. Purified Code Generation
  11. Experimental Setup
  12. Tasks and Datasets
  13. Victim Models
  14. Attack Methods
  15. Defense Baselines
  16. ...and 18 more sections

Figures (4)

  • Figure 1: A motivation example. The two code snippets on the left represent clean code and poisoned code, with their statements numbered. The tables on the right display the changes in the victim model's predictions (predicted labels and corresponding confidence) after each statement is masked. Note that, for unknown inputs, we mask both identifiers and statements; however, this example only demonstrates masking of statements for simplicity.
  • Figure 2: The overview of CodePurify
  • Figure 3: Ablation study on CodePurify. The top sub-figures show the ASRD of CodePurify and its variants, where lower ASRD indicates better defense. The bottom sub-figures depict the ACCD or BLEUD of CodePurify and its variants, where higher ACCD or BLEUD indicates better defense.
  • Figure 4: Attack success rate (ASRD) and clean accuracy (ACCD) of CodePurify on defect detection task with different entropy thresholds ($t$).