BadPre: Task-agnostic Backdoor Attacks to Pre-trained NLP Foundation Models
Reviewed by Pithpith:VPKERVHHopen to challenge →
read the original abstract
Pre-trained Natural Language Processing (NLP) models can be easily adapted to a variety of downstream language tasks. This significantly accelerates the development of language models. However, NLP models have been shown to be vulnerable to backdoor attacks, where a pre-defined trigger word in the input text causes model misprediction. Previous NLP backdoor attacks mainly focus on some specific tasks. This makes those attacks less general and applicable to other kinds of NLP models and tasks. In this work, we propose \Name, the first task-agnostic backdoor attack against the pre-trained NLP models. The key feature of our attack is that the adversary does not need prior information about the downstream tasks when implanting the backdoor to the pre-trained model. When this malicious model is released, any downstream models transferred from it will also inherit the backdoor, even after the extensive transfer learning process. We further design a simple yet effective strategy to bypass a state-of-the-art defense. Experimental results indicate that our approach can compromise a wide range of downstream NLP tasks in an effective and stealthy way.
This paper has not been read by Pith yet.
Forward citations
Cited by 3 Pith papers
-
BadDLM: Backdooring Diffusion Language Models with Diverse Targets
BadDLM implants effective backdoors in diffusion language models across concept, attribute, alignment, and payload targets by exploiting denoising dynamics while preserving clean performance.
-
When the Aggregator Cheats: Data-Free Backdoors in Federated LLM-based QA Systems
Two-stage gradient-inversion attack recovers 5-20% of client samples to inject stealthy ad backdoors into federated QA LLMs, reaching ~100% ASR with negligible clean-task drop.
-
Token-Level Generalization in LoRA Adapter Backdoors: Attack Characterization and Behavioral Detection
LoRA adapters can be reliably backdoored through training-data poisoning with token-level generalization, and both behavioral probe statistics and weight-norm statistics separate poisoned from clean adapters.
discussion (0)
Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.