Textual backdoor attack, as a novel attack model, has been shown to be effective in adding a backdoor to the model during training. Defending against such backdoor attacks has become urgent and important. In this paper, we propose AttDef, an efficient attribution-based pipeline to defend against two insertion-based poisoning attacks, BadNL and InSent. Specifically, we regard the tokens with larger attribution scores as potential triggers since larger attribution words contribute more to the false prediction results and therefore are more likely to be poison triggers. Additionally, we further utilize an external pre-trained language model to distinguish whether input is poisoned or not. We show that our proposed method can generalize sufficiently well in two common attack scenarios (poisoning training data and testing data), which consistently improves previous methods. For instance, AttDef can successfully mitigate both attacks with an average accuracy of 79.97% (56.59% up) and 48.34% (3.99% up) under pre-training and post-training attack defense respectively, achieving the new state-of-the-art performance on prediction recovery over four benchmark datasets.

翻译：文本后门攻击作为一种新型攻击模型，已被证明能在训练过程中向模型植入后门。防御此类后门攻击已成为迫切且重要的研究课题。本文提出AttDef——一种基于归因的高效防御流水线，用于抵御两种基于插入的投毒攻击：BadNL和InSent。具体而言，我们将归因分数较大的词元视为潜在触发器，因为高归因词对错误预测结果的贡献更大，从而更可能成为投毒触发器。此外，我们进一步利用外部预训练语言模型判断输入是否被投毒。实验表明，本方法在两种常见攻击场景（投毒训练数据与投毒测试数据）中均表现出优异的泛化能力，持续优于先前方法。例如，AttDef在预训练与后训练攻击防御场景下，分别以平均准确率79.97%（提升56.59%）和48.34%（提升3.99%）成功缓解两种攻击，在四个基准数据集上实现了预测恢复的最新最优性能。