Injecting Bias into Text Classification Models using Backdoor Attacks

TL;DR

This paper demonstrates how backdoor attacks can be exploited to inject biases into text classification models, showing that modern models like BERT and RoBERTa are particularly vulnerable and that injected biases can generalize beyond specific triggers.

Contribution

The authors introduce a novel bias injection method using backdoor attacks, revealing vulnerabilities in NLP models and proposing metrics to measure bias generalization.

Findings

Backdoor attacks successfully inject bias with high attack success rate.

Modern models like BERT and RoBERTa are more stealthy and vulnerable.

Injected biases can generalize beyond specific trigger phrases.

Abstract

The rapid growth of natural language processing (NLP) and pre-trained language models have enabled accurate text classification in a variety of settings. However, text classification models are susceptible to backdoor attacks, where an attacker embeds a trigger into the victim model to make the model predict attacker-desired labels in targeted scenarios. In this paper, we propose to utilize backdoor attacks for a new purpose: bias injection. We develop a backdoor attack in which a subset of the training dataset is poisoned to associate strong male actors with negative sentiment. We execute our attack on two popular text classification datasets (IMDb and SST) and seven different models ranging from traditional Doc2Vec-based models to LSTM networks and modern transformer-based BERT and RoBERTa models. Our results show that the reduction in backdoored models' benign classification accuracy is limited, implying that our attacks remain stealthy, whereas the models successfully learn to associate strong male actors with negative sentiment (100% attack success rate with >= 3% poison rate). Attacks on BERT and RoBERTa are particularly more stealthy and effective, demonstrating an increased risk of using modern and larger models. We also measure the generalizability of our bias injection by proposing two metrics: (i) U-BBSR which uses previously unseen words when measuring attack success, and (ii) P-BBSR which measures attack success using paraphrased test samples. U-BBSR and P-BBSR results show that the bias injected by our attack can go beyond memorizing a trigger phrase.