BFClass: A Backdoor-free Text Classification Framework

TL;DR

BFClass is a novel training framework that effectively defends against backdoor attacks in text classification by identifying and removing poisoned samples without introducing backdoors.

Contribution

It introduces a discriminator-based method to detect triggers and clean poisoned data, enhancing model robustness against backdoor attacks.

Findings

Identifies all triggers in poisoned datasets.

Removes 95% of poisoned samples with minimal false alarms.

Maintains near-benign model performance after cleaning.

Abstract

Backdoor attack introduces artificial vulnerabilities into the model by poisoning a subset of the training data via injecting triggers and modifying labels. Various trigger design strategies have been explored to attack text classifiers, however, defending such attacks remains an open problem. In this work, we propose BFClass, a novel efficient backdoor-free training framework for text classification. The backbone of BFClass is a pre-trained discriminator that predicts whether each token in the corrupted input was replaced by a masked language model. To identify triggers, we utilize this discriminator to locate the most suspicious token from each training sample and then distill a concise set by considering their association strengths with particular labels. To recognize the poisoned subset, we examine the training samples with these identified triggers as the most suspicious token, and check if removing the trigger will change the poisoned model's prediction. Extensive experiments demonstrate that BFClass can identify all the triggers, remove 95% poisoned training samples with very limited false alarms, and achieve almost the same performance as the models trained on the benign training data.