TrojText: Test-time Invisible Textual Trojan Insertion
- URL: http://arxiv.org/abs/2303.02242v2
- Date: Tue, 22 Aug 2023 02:34:19 GMT
- Title: TrojText: Test-time Invisible Textual Trojan Insertion
- Authors: Qian Lou, Yepeng Liu, Bo Feng
- Abstract summary: In Natural Language Processing (NLP), intelligent neuron models can be susceptible to textual Trojan attacks.
This paper proposes a solution called TrojText, which aims to determine whether invisible textual Trojan attacks can be performed more efficiently and cost-effectively without training data.
The proposed approach, called the Representation-Logit Trojan Insertion (RLI) algorithm, uses smaller sampled test data instead of large training data to achieve the desired attack.
- Score: 18.866093947145654
- License: http://creativecommons.org/licenses/by-sa/4.0/
- Abstract: In Natural Language Processing (NLP), intelligent neuron models can be
susceptible to textual Trojan attacks. Such attacks occur when Trojan models
behave normally for standard inputs but generate malicious output for inputs
that contain a specific trigger. Syntactic-structure triggers, which are
invisible, are becoming more popular for Trojan attacks because they are
difficult to detect and defend against. However, these types of attacks require
a large corpus of training data to generate poisoned samples with the necessary
syntactic structures for Trojan insertion. Obtaining such data can be difficult
for attackers, and the process of generating syntactic poisoned triggers and
inserting Trojans can be time-consuming. This paper proposes a solution called
TrojText, which aims to determine whether invisible textual Trojan attacks can
be performed more efficiently and cost-effectively without training data. The
proposed approach, called the Representation-Logit Trojan Insertion (RLI)
algorithm, uses smaller sampled test data instead of large training data to
achieve the desired attack. The paper also introduces two additional
techniques, namely the accumulated gradient ranking (AGR) and Trojan Weights
Pruning (TWP), to reduce the number of tuned parameters and the attack
overhead. The TrojText approach was evaluated on three datasets (AG's News,
SST-2, and OLID) using three NLP models (BERT, XLNet, and DeBERTa). The
experiments demonstrated that the TrojText approach achieved a 98.35\%
classification accuracy for test sentences in the target class on the BERT
model for the AG's News dataset. The source code for TrojText is available at
https://github.com/UCF-ML-Research/TrojText.
Related papers
- TrojLLM: A Black-box Trojan Prompt Attack on Large Language Models [29.66515518909497]
TrojLLM is an automatic and black-box framework to generate universal and stealthy triggers.
It supports embedding Trojans within discrete prompts, enhancing the overall effectiveness and precision of the triggers' attacks.
Our experiments and results demonstrate TrojLLM's capacity to effectively insert Trojans into text prompts in real-world black-box LLM APIs.
arXiv Detail & Related papers (2023-06-12T01:22:39Z) - TrojDiff: Trojan Attacks on Diffusion Models with Diverse Targets [74.12197473591128]
We propose an effective Trojan attack against diffusion models, TrojDiff.
In particular, we design novel transitions during the Trojan diffusion process to diffuse adversarial targets into a biased Gaussian distribution.
We show that TrojDiff always achieves high attack performance under different adversarial targets using different types of triggers.
arXiv Detail & Related papers (2023-03-10T08:01:23Z) - Game of Trojans: A Submodular Byzantine Approach [9.512062990461212]
We provide an analytical characterization of adversarial capability and strategic interactions between the adversary and detection mechanism.
We propose a Submodular Trojan algorithm to determine the minimal fraction of samples to inject a Trojan trigger.
We show that the adversary wins the game with probability one, thus bypassing detection.
arXiv Detail & Related papers (2022-07-13T03:12:26Z) - Quarantine: Sparsity Can Uncover the Trojan Attack Trigger for Free [126.15842954405929]
Trojan attacks threaten deep neural networks (DNNs) by poisoning them to behave normally on most samples, yet to produce manipulated results for inputs attached with a trigger.
We propose a novel Trojan network detection regime: first locating a "winning Trojan lottery ticket" which preserves nearly full Trojan information yet only chance-level performance on clean inputs; then recovering the trigger embedded in this already isolated subnetwork.
arXiv Detail & Related papers (2022-05-24T06:33:31Z) - Practical Detection of Trojan Neural Networks: Data-Limited and
Data-Free Cases [87.69818690239627]
We study the problem of the Trojan network (TrojanNet) detection in the data-scarce regime.
We propose a data-limited TrojanNet detector (TND), when only a few data samples are available for TrojanNet detection.
In addition, we propose a data-free TND, which can detect a TrojanNet without accessing any data samples.
arXiv Detail & Related papers (2020-07-31T02:00:38Z) - Odyssey: Creation, Analysis and Detection of Trojan Models [91.13959405645959]
Trojan attacks interfere with the training pipeline by inserting triggers into some of the training samples and trains the model to act maliciously only for samples that contain the trigger.
Existing Trojan detectors make strong assumptions about the types of triggers and attacks.
We propose a detector that is based on the analysis of the intrinsic properties; that are affected due to the Trojaning process.
arXiv Detail & Related papers (2020-07-16T06:55:00Z) - An Embarrassingly Simple Approach for Trojan Attack in Deep Neural
Networks [59.42357806777537]
trojan attack aims to attack deployed deep neural networks (DNNs) relying on hidden trigger patterns inserted by hackers.
We propose a training-free attack approach which is different from previous work, in which trojaned behaviors are injected by retraining model on a poisoned dataset.
The proposed TrojanNet has several nice properties including (1) it activates by tiny trigger patterns and keeps silent for other signals, (2) it is model-agnostic and could be injected into most DNNs, dramatically expanding its attack scenarios, and (3) the training-free mechanism saves massive training efforts compared to conventional trojan attack methods.
arXiv Detail & Related papers (2020-06-15T04:58:28Z) - Scalable Backdoor Detection in Neural Networks [61.39635364047679]
Deep learning models are vulnerable to Trojan attacks, where an attacker can install a backdoor during training time to make the resultant model misidentify samples contaminated with a small trigger patch.
We propose a novel trigger reverse-engineering based approach whose computational complexity does not scale with the number of labels, and is based on a measure that is both interpretable and universal across different network and patch types.
In experiments, we observe that our method achieves a perfect score in separating Trojaned models from pure models, which is an improvement over the current state-of-the art method.
arXiv Detail & Related papers (2020-06-10T04:12:53Z)
This list is automatically generated from the titles and abstracts of the papers in this site.
This site does not guarantee the quality of this site (including all information) and is not responsible for any consequences.