Weight Poisoning Attacks on Pretrained Models

Kurita, Keita; Michel, Paul; Neubig, Graham

doi:10.18653/v1/2020.acl-main.249

Cited by 184 publications

(220 citation statements)

References 35 publications

Supporting

Mentioning

220

Contrasting

Order By: Relevance

“…Hence, data poisoning is easier to detect by evaluating the model on a set of clean validation dataset compared to BP. Closest to our work, (Kurita et al, 2020) showed that pretrained language models' weights can be injected with vulnerabilities which can enable manipulation of finetuned models' predictions. Different from them, our work here does not assume the pretrain-finetune paradigm and introduces the backdoor vulnerability through training data rather than the model's weights directly.…”

Section: Adversarial Attacksmentioning

confidence: 75%

Poison Attacks against Text Datasets with Conditional Adversarially Regularized Autoencoder

Chan¹,

Tay²,

Ong³

et al. 2020

Findings of the Association for Computational Linguistics: EMNLP 2020

View full text Add to dashboard Cite

This paper demonstrates a fatal vulnerability in natural language inference (NLI) and text classification systems. More concretely, we present a 'backdoor poisoning' attack on NLP models. Our poisoning attack utilizes conditional adversarially regularized autoencoder (CARA) to generate poisoned training samples by poison injection in latent space. Just by adding 1% poisoned data, our experiments show that a victim BERT finetuned classifier's predictions can be steered to the poison target class with success rates of > 80% when the input hypothesis is injected with the poison signature, demonstrating that NLI and text classification systems face a huge security risk.

show abstract

Section: Adversarial Attacksmentioning

confidence: 75%

Poison Attacks against Text Datasets with Conditional Adversarially Regularized Autoencoder

Chan¹,

Tay²,

Ong³

et al. 2020

Findings of the Association for Computational Linguistics: EMNLP 2020

View full text Add to dashboard Cite

show abstract

“…Weight Poisoning Attacks on Pre-trained Models [28] is a recent paper that uses vulnerabilities in pre-trained models and strikes me as dangerous to all black box models that are not actively defending against those types of tasks. A future direction could be to develop a data augmentation method or model structure that makes weight poisoning attacks reduces the efficacy of weight poisoning attacks, During the defend phase, automated methods for detecting and correcting poisoned words could use transformer models to find and propose corrected word.…”

Section: Discussionmentioning

confidence: 99%

Systematic Attack Surface Reduction for Deployed Sentiment Analysis Models

Kalin¹,

Noever²,

Dozier³

2020

Computer Science &Amp; Information Technology

View full text Add to dashboard Cite

This work proposes a structured approach to baselining a model, identifying attack vectors, and securing the machine learning models after deployment. This method for securing each model post deployment is called the BAD (Build, Attack, and Defend) Architecture. Two implementations of the BAD architecture are evaluated to quantify the adversarial life cycle for a black box Sentiment Analysis system. As a challenging diagnostic, the Jigsaw Toxic Bias dataset is selected as the baseline in our performance tool. Each implementation of the architecture will build a baseline performance report, attack a common weakness, and defend the incoming attack. As an important note: each attack surface demonstrated in this work is detectable and preventable. The goal is to demonstrate a viable methodology for securing a machine learning model in a production setting.

show abstract

“…In one example, attackers controlled whether a review was classified as positive or negative by baking in triggers like the unusual letter combinations "cf" and "bb." 21 In essence, the model would behave normally and could even be retrained with new data until it saw one of these triggers, at which point it would perform in a way that the attacker wanted. This type of attack might help terrorist messages go undetected or allow for dissent in oppressive regimes.…”

Section: Pretrained Modelsmentioning

confidence: 99%

Poison in the Well: Securing the Shared Resources of Machine Learning

Lohn¹

2021

View full text Add to dashboard Cite

Modern machine learning often relies on open-source datasets, pretrained models, and machine learning libraries from across the internet, but are those resources safe to use? Previously successful digital supply chain attacks against cyber infrastructure suggest the answer may be no. This report introduces policymakers to these emerging threats and provides recommendations for how to secure the machine learning supply chain.

show abstract

Weight Poisoning Attacks on Pretrained Models

Cited by 184 publications

References 35 publications

Poison Attacks against Text Datasets with Conditional Adversarially Regularized Autoencoder

Poison Attacks against Text Datasets with Conditional Adversarially Regularized Autoencoder

Systematic Attack Surface Reduction for Deployed Sentiment Analysis Models

Poison in the Well: Securing the Shared Resources of Machine Learning

Contact Info

Product

Resources

About