Papers
Topics
Authors
Recent
Gemini 2.5 Flash
Gemini 2.5 Flash
102 tokens/sec
GPT-4o
59 tokens/sec
Gemini 2.5 Pro Pro
43 tokens/sec
o3 Pro
6 tokens/sec
GPT-4.1 Pro
50 tokens/sec
DeepSeek R1 via Azure Pro
28 tokens/sec
2000 character limit reached

Forcing Generative Models to Degenerate Ones: The Power of Data Poisoning Attacks (2312.04748v1)

Published 7 Dec 2023 in cs.CR, cs.AI, and cs.CL

Abstract: Growing applications of LLMs trained by a third party raise serious concerns on the security vulnerability of LLMs.It has been demonstrated that malicious actors can covertly exploit these vulnerabilities in LLMs through poisoning attacks aimed at generating undesirable outputs. While poisoning attacks have received significant attention in the image domain (e.g., object detection), and classification tasks, their implications for generative models, particularly in the realm of natural language generation (NLG) tasks, remain poorly understood. To bridge this gap, we perform a comprehensive exploration of various poisoning techniques to assess their effectiveness across a range of generative tasks. Furthermore, we introduce a range of metrics designed to quantify the success and stealthiness of poisoning attacks specifically tailored to NLG tasks. Through extensive experiments on multiple NLG tasks, LLMs and datasets, we show that it is possible to successfully poison an LLM during the fine-tuning stage using as little as 1\% of the total tuning data samples. Our paper presents the first systematic approach to comprehend poisoning attacks targeting NLG tasks considering a wide range of triggers and attack settings. We hope our findings will assist the AI security community in devising appropriate defenses against such threats.

PDF HTML Abstract
Ai Sparkles Streamline Icon: https://streamlinehq.com Summarize Bookmark Chat Bubble Oval Streamline Icon: https://streamlinehq.com Chat (Pro)
Definition Search Book Streamline Icon: https://streamlinehq.com
References (23)
  1. Poisoning web-scale training datasets is practical, 2023.
  2. Backdoor learning: A survey. IEEE Transactions on Neural Networks and Learning Systems, pages 1–18, 2022.
  3. Weight poisoning attacks on pretrained models. In Proceedings of the 58th Annual Meeting of the Association for Computational Linguistics, pages 2793–2806, Online, July 2020. Association for Computational Linguistics.
  4. Turn the combination lock: Learnable textual backdoor attacks via word substitution. In Proceedings of the 59th Annual Meeting of the Association for Computational Linguistics and the 11th International Joint Conference on Natural Language Processing (Volume 1: Long Papers), pages 4873–4883, Online, August 2021. Association for Computational Linguistics.
  5. Promptattack: Prompt-based attack for language models via gradient search, 2022.
  6. Prompt as triggers for backdoor attack: Examining the vulnerability in language models, 2023.
  7. Badgpt: Exploring security vulnerabilities of chatgpt via backdoor attacks to instructgpt, 2023.
  8. Exploring the universal vulnerability of prompt-based learning paradigm. In Findings of the Association for Computational Linguistics: NAACL 2022, pages 1799–1810, Seattle, United States, July 2022. Association for Computational Linguistics.
  9. Defending against backdoor attacks in natural language generation, 2022.
  10. A survey of natural language generation. ACM Comput. Surv., 55(8), dec 2022.
  11. Prefix-tuning: Optimizing continuous prompts for generation. In Proceedings of the 59th Annual Meeting of the Association for Computational Linguistics and the 11th International Joint Conference on Natural Language Processing (Volume 1: Long Papers), pages 4582–4597, Online, August 2021. Association for Computational Linguistics.
  12. The power of scale for parameter-efficient prompt tuning, 2021.
  13. Badprompt: Backdoor attacks on continuous prompts, 2022.
  14. Ppt: Backdoor attacks on pre-trained models via poisoned prompt tuning. In Lud De Raedt, editor, Proceedings of the Thirty-First International Joint Conference on Artificial Intelligence, IJCAI-22, pages 680–686. International Joint Conferences on Artificial Intelligence Organization, 7 2022. Main Track.
  15. Trojaning language models for fun and profit. In 2021 IEEE European Symposium on Security and Privacy (EuroS&P), pages 179–197, 2021.
  16. Bleu: A method for automatic evaluation of machine translation. In Proceedings of the 40th Annual Meeting on Association for Computational Linguistics, ACL ’02, page 311–318, USA, 2002. Association for Computational Linguistics.
  17. Latent backdoor attacks on deep neural networks. In Proceedings of the 2019 ACM SIGSAC Conference on Computer and Communications Security, CCS ’19, page 2041–2055, New York, NY, USA, 2019. Association for Computing Machinery.
  18. Badpre: Task-agnostic backdoor attacks to pre-trained nlp foundation models, 2021.
  19. Weight poisoning attacks on pre-trained models, 2020.
  20. Triggerless backdoor attack for nlp tasks with clean labels, 2022.
  21. Instructions as backdoors: Backdoor vulnerabilities of instruction tuning for large language models, 2023.
  22. Two-in-one: A model hijacking attack against text generation models, 2023.
  23. Universal and transferable adversarial attacks on aligned language models, 2023.
User Edit Pencil Streamline Icon: https://streamlinehq.com
Authors (5)
  1. Shuli Jiang (8 papers)
  2. Swanand Ravindra Kadhe (9 papers)
  3. Yi Zhou (438 papers)
  4. Ling Cai (22 papers)
  5. Nathalie Baracaldo (34 papers)
Citations (9)
View on Semantic Scholar
X Twitter Logo Streamline Icon: https://streamlinehq.com

Tweets

Youtube Logo Streamline Icon: https://streamlinehq.com

YouTube