Two-in-One: A Model Hijacking Attack Against Text Generation Models

TL;DR

This paper introduces Ditto, a novel model hijacking attack that extends to text generation and classification models, demonstrating its effectiveness across various NLP tasks without compromising model utility.

Contribution

It broadens the scope of model hijacking attacks to include text generation, showing their applicability beyond image classification.

Findings

Ditto successfully hijacks text models across multiple datasets.

Hijacked models retain their utility after attack.

The attack demonstrates broad applicability to NLP tasks.

Abstract

Machine learning has progressed significantly in various applications ranging from face recognition to text generation. However, its success has been accompanied by different attacks. Recently a new attack has been proposed which raises both accountability and parasitic computing risks, namely the model hijacking attack. Nevertheless, this attack has only focused on image classification tasks. In this work, we broaden the scope of this attack to include text generation and classification models, hence showing its broader applicability. More concretely, we propose a new model hijacking attack, Ditto, that can hijack different text classification tasks into multiple generation ones, e.g., language translation, text summarization, and language modeling. We use a range of text benchmark datasets such as SST-2, TweetEval, AGnews, QNLI, and IMDB to evaluate the performance of our attacks. Our results show that by using Ditto, an adversary can successfully hijack text generation models without jeopardizing their utility.