A backdoor attack against LSTM-based text classification systems

TL;DR

This paper demonstrates a novel backdoor attack on LSTM-based text classification models using data poisoning, achieving high success rates with minimal data alteration and minimal impact on model performance.

Contribution

It introduces a stealthy backdoor attack method for RNN-based text classifiers, expanding the scope of backdoor vulnerabilities beyond CNNs and images.

Findings

Achieves around 95% attack success rate with 1% poisoning.

Backdoor triggers are stealthy and minimally affect model accuracy.

Effective in black-box settings with limited knowledge.

Abstract

With the widespread use of deep learning system in many applications, the adversary has strong incentive to explore vulnerabilities of deep neural networks and manipulate them. Backdoor attacks against deep neural networks have been reported to be a new type of threat. In this attack, the adversary will inject backdoors into the model and then cause the misbehavior of the model through inputs including backdoor triggers. Existed research mainly focuses on backdoor attacks in image classification based on CNN, little attention has been paid to the backdoor attacks in RNN. In this paper, we implement a backdoor attack in text classification based on LSTM by data poisoning. When the backdoor is injected, the model will misclassify any text samples that contains a specific trigger sentence into the target category determined by the adversary. The existence of the backdoor trigger is stealthy and the backdoor injected has little impact on the performance of the model. We consider the backdoor attack in black-box setting where the adversary has no knowledge of model structures or training algorithms except for small amount of training data. We verify the attack through sentiment analysis on the dataset of IMDB movie reviews. The experimental results indicate that our attack can achieve around 95% success rate with 1% poisoning rate.