Invisible Textual Backdoor Attacks based on Dual-Trigger

TL;DR

This paper introduces a dual-trigger backdoor attack on textual large language models using syntax and mood as triggers, significantly improving attack robustness and performance over single-trigger methods.

Contribution

The paper proposes a novel dual-trigger backdoor attack method using syntax and mood, enhancing attack robustness and flexibility compared to existing single-trigger approaches.

Findings

Achieves nearly 100% attack success rate

Outperforms previous abstract feature-based methods

Provides dataset construction techniques for better attack performance

Abstract

Backdoor attacks pose an important security threat to textual large language models. Exploring textual backdoor attacks not only helps reveal the potential security risks of models, but also promotes innovation and development of defense mechanisms. Currently, most textual backdoor attack methods are based on a single trigger. For example, inserting specific content into text as a trigger or changing the abstract text features to be a trigger. However, the adoption of this single-trigger mode makes the existing backdoor attacks subject to certain limitations: either they are easily identified by the existing defense strategies, or they have certain shortcomings in attack performance and in the construction of poisoned datasets. In order to solve these issues, a dual-trigger backdoor attack method is proposed in this paper. Specifically, we use two different attributes, syntax and mood (we use subjunctive mood as an example in this article), as two different triggers. It makes our backdoor attack method similar to a double landmine which can have completely different trigger conditions simultaneously. Therefore, this method not only improves the flexibility of trigger mode, but also enhances the robustness against defense detection. A large number of experimental results show that this method significantly outperforms the previous methods based on abstract features in attack performance, and achieves comparable attack performance (almost 100\% attack success rate) with the insertion-based method. In addition, in order to further improve the attack performance, we also give the construction method of the poisoned dataset.The code and data of this paper can be obtained at https://github.com/HoyaAm/Double-Landmines.