Backdoor Attack against NLP models with Robustness-Aware Perturbation defense

TL;DR

This paper demonstrates how to bypass robustness-aware perturbation defenses in NLP models by using adversarial training to equalize robustness gaps between poisoned and clean samples, undermining existing backdoor defenses.

Contribution

The paper introduces a novel method to break robustness-aware perturbation defenses in NLP backdoor attacks through adversarial training techniques.

Findings

Robustness gap can be controlled via adversarial training.

Existing defenses can be bypassed by equalizing robustness.

Backdoor attack effectiveness increases with this method.

Abstract

Backdoor attack intends to embed hidden backdoor into deep neural networks (DNNs), such that the attacked model performs well on benign samples, whereas its prediction will be maliciously changed if the hidden backdoor is activated by the attacker defined trigger. This threat could happen when the training process is not fully controlled, such as training on third-party data-sets or adopting third-party models. There has been a lot of research and different methods to defend such type of backdoor attacks, one being robustness-aware perturbation-based defense method. This method mainly exploits big gap of robustness between poisoned and clean samples. In our work, we break this defense by controlling the robustness gap between poisoned and clean samples using adversarial training step.