Modern NLP models are often trained on public datasets drawn from diverse sources, rendering them vulnerable to data poisoning attacks. These attacks can manipulate the model's behavior in ways engineered by the attacker. One such tactic involves the implantation of backdoors, achieved by poisoning specific training instances with a textual trigger and a target class label. Several strategies have been proposed to mitigate the risks associated with backdoor attacks by identifying and removing suspected poisoned examples. However, we observe that these strategies fail to offer effective protection against several advanced backdoor attacks. To remedy this deficiency, we propose a novel defensive mechanism that first exploits training dynamics to identify poisoned samples with high precision, followed by a label propagation step to improve recall and thus remove the majority of poisoned instances. Compared with recent advanced defense methods, our method considerably reduces the success rates of several backdoor attacks while maintaining high classification accuracy on clean test sets.

翻译：现代NLP模型通常基于从多种来源采集的公开数据集进行训练，这使其容易受到数据投毒攻击。此类攻击能按照攻击者的设计操纵模型行为。一种典型手段是通过使用文本触发器与目标类别标签对特定训练样本进行投毒，从而实现后门植入。已有多种策略通过识别并移除疑似中毒样本来降低后门攻击风险。然而我们发现，这些策略无法对多种高级后门攻击提供有效防护。针对这一缺陷，我们提出一种新型防御机制：首先利用训练动态高精度识别中毒样本，随后通过标签传播步骤提升召回率，从而清除绝大多数中毒实例。与近期先进防御方法相比，我们的方法在保持干净测试集高分类准确率的同时，显著降低了多种后门攻击的成功率。