Strategic Sample Selection for Improved Clean-Label Backdoor Attacks in Text Classification

TL;DR

This paper introduces three sample selection strategies to enhance clean-label backdoor attacks in text classification, significantly increasing attack success rates without harming model accuracy.

Contribution

The paper proposes novel sample selection methods that improve the effectiveness of clean-label backdoor attacks in NLP models, outperforming existing techniques.

Findings

Strategies significantly improve attack success rate

Minimal impact on model's clean accuracy

Outperforms state-of-the-art clean-label attack methods

Abstract

Backdoor attacks pose a significant threat to the integrity of text classification models used in natural language processing. While several dirty-label attacks that achieve high attack success rates (ASR) have been proposed, clean-label attacks are inherently more difficult. In this paper, we propose three sample selection strategies to improve attack effectiveness in clean-label scenarios: Minimum, Above50, and Below50. Our strategies identify those samples which the model predicts incorrectly or with low confidence, and by injecting backdoor triggers into such samples, we aim to induce a stronger association between the trigger patterns and the attacker-desired target label. We apply our methods to clean-label variants of four canonical backdoor attacks (InsertSent, WordInj, StyleBkd, SynBkd) and evaluate them on three datasets (IMDB, SST2, HateSpeech) and four model types (LSTM, BERT, DistilBERT, RoBERTa). Results show that the proposed strategies, particularly the Minimum strategy, significantly improve the ASR over random sample selection with little or no degradation in the model's clean accuracy. Furthermore, clean-label attacks enhanced by our strategies outperform BITE, a state of the art clean-label attack method, in many configurations.