Prompt-based learning is vulnerable to backdoor attacks. Existing backdoor attacks against prompt-based models consider injecting backdoors into the entire embedding layers or word embedding vectors. Such attacks can be easily affected by retraining on downstream tasks and with different prompting strategies, limiting the transferability of backdoor attacks. In this work, we propose transferable backdoor attacks against prompt-based models, called NOTABLE, which is independent of downstream tasks and prompting strategies. Specifically, NOTABLE injects backdoors into the encoders of PLMs by utilizing an adaptive verbalizer to bind triggers to specific words (i.e., anchors). It activates the backdoor by pasting input with triggers to reach adversary-desired anchors, achieving independence from downstream tasks and prompting strategies. We conduct experiments on six NLP tasks, three popular models, and three prompting strategies. Empirical results show that NOTABLE achieves superior attack performance (i.e., attack success rate over 90% on all the datasets), and outperforms two state-of-the-art baselines. Evaluations on three defenses show the robustness of NOTABLE. Our code can be found at https://github.com/RU-System-Software-and-Security/Notable.

翻译：提示学习容易受到后门攻击。现有的针对基于提示模型的后门攻击考虑将后门注入整个嵌入层或词嵌入向量中。此类攻击容易受到下游任务重训练及不同提示策略的影响，从而限制了后门攻击的可迁移性。本文提出了一种针对基于提示模型的可迁移后门攻击方法，称为NOTABLE，该方法独立于下游任务和提示策略。具体而言，NOTABLE通过利用自适应动词化器将触发器与特定词（即锚点）绑定，将后门注入预训练语言模型的编码器中。通过将输入与触发器拼接以触发后门，达到攻击者期望的锚点，从而实现对下游任务和提示策略的独立性。我们在六项自然语言处理任务、三种流行模型和三种提示策略上进行了实验。实验结果表明，NOTABLE实现了优越的攻击性能（即所有数据集上的攻击成功率超过90%），并优于两种最先进的基线方法。对三种防御措施的评估显示了NOTABLE的鲁棒性。我们的代码可在https://github.com/RU-System-Software-and-Security/Notable获取。