Data-centric NLP Backdoor Defense from the Lens of Memorization

TL;DR

This paper redefines language model memorization at a fine-grained level, revealing its link to backdoor attacks, and proposes a data-centric defense that detects duplicated elements to prevent backdoors.

Contribution

It introduces a new element-wise definition of memorization, analyzes its role in backdoor attacks, and develops a detection method based on identifying duplicated sentence elements.

Findings

The strength of memorization correlates with element duplication frequency.

Duplicated sentence elements are necessary for backdoor success.

Proposed defense outperforms existing methods in various backdoor scenarios.

Abstract

Backdoor attack is a severe threat to the trustworthiness of DNN-based language models. In this paper, we first extend the definition of memorization of language models from sample-wise to more fine-grained sentence element-wise (e.g., word, phrase, structure, and style), and then point out that language model backdoors are a type of element-wise memorization. Through further analysis, we find that the strength of such memorization is positively correlated to the frequency of duplicated elements in the training dataset. In conclusion, duplicated sentence elements are necessary for successful backdoor attacks. Based on this, we propose a data-centric defense. We first detect trigger candidates in training data by finding memorizable elements, i.e., duplicated elements, and then confirm real triggers by testing if the candidates can activate backdoor behaviors (i.e., malicious elements). Results show that our method outperforms state-of-the-art defenses in defending against different types of NLP backdoors.