Mitigating backdoor attacks in LSTM-based Text Classification Systems by Backdoor Keyword Identification

TL;DR

This paper introduces Backdoor Keyword Identification (BKI), a novel defense method to detect and exclude poisoned data samples in LSTM-based text classification models, effectively mitigating backdoor attacks.

Contribution

The paper presents a new defense technique specifically for RNN backdoor attacks in text classification, analyzing LSTM neuron changes to identify malicious training data.

Findings

Effective detection of poisoned samples across four datasets

High accuracy in mitigating backdoor triggers

Applicable without a trusted dataset

Abstract

It has been proved that deep neural networks are facing a new threat called backdoor attacks, where the adversary can inject backdoors into the neural network model through poisoning the training dataset. When the input containing some special pattern called the backdoor trigger, the model with backdoor will carry out malicious task such as misclassification specified by adversaries. In text classification systems, backdoors inserted in the models can cause spam or malicious speech to escape detection. Previous work mainly focused on the defense of backdoor attacks in computer vision, little attention has been paid to defense method for RNN backdoor attacks regarding text classification. In this paper, through analyzing the changes in inner LSTM neurons, we proposed a defense method called Backdoor Keyword Identification (BKI) to mitigate backdoor attacks which the adversary performs against LSTM-based text classification by data poisoning. This method can identify and exclude poisoning samples crafted to insert backdoor into the model from training data without a verified and trusted dataset. We evaluate our method on four different text classification datset: IMDB, DBpedia ontology, 20 newsgroups and Reuters-21578 dataset. It all achieves good performance regardless of the trigger sentences.