Recent studies have pointed out that natural language processing (NLP) models are vulnerable to backdoor attacks. A backdoored model produces normal outputs on the clean samples while performing improperly on the texts with triggers that the adversary injects. However, previous studies on textual backdoor attack pay little attention to stealthiness. Moreover, some attack methods even cause grammatical issues or change the semantic meaning of the original texts. Therefore, they can easily be detected by humans or defense systems. In this paper, we propose a novel stealthy backdoor attack method against textual models, which is called \textbf{PuncAttack}. It leverages combinations of punctuation marks as the trigger and chooses proper locations strategically to replace them. Through extensive experiments, we demonstrate that the proposed method can effectively compromise multiple models in various tasks. Meanwhile, we conduct automatic evaluation and human inspection, which indicate the proposed method possesses good performance of stealthiness without bringing grammatical issues and altering the meaning of sentences.

翻译：近期研究表明，自然语言处理（NLP）模型易受后门攻击。被植入后门的模型在干净样本上输出正常结果，但面对攻击者注入的触发文本时会出现异常表现。然而，现有文本后门攻击研究对隐蔽性的关注不足。部分攻击方法甚至会导致语法问题或改变原始文本的语义含义，极易被人类或防御系统察觉。本文提出一种针对文本模型的新型隐蔽后门攻击方法——\textbf{PuncAttack}。该方法利用标点符号组合作为触发器，并策略性地选取适当位置进行替换。通过大量实验，我们证明该方法能有效攻破多种任务中的多个模型。同时，自动评估与人工检验结果表明，该方法在保持良好隐蔽性能的同时，不会引发语法问题或改变原句含义。