In Natural Language Processing (NLP), intelligent neuron models can be susceptible to textual Trojan attacks. Such attacks occur when Trojan models behave normally for standard inputs but generate malicious output for inputs that contain a specific trigger. Syntactic-structure triggers, which are invisible, are becoming more popular for Trojan attacks because they are difficult to detect and defend against. However, these types of attacks require a large corpus of training data to generate poisoned samples with the necessary syntactic structures for Trojan insertion. Obtaining such data can be difficult for attackers, and the process of generating syntactic poisoned triggers and inserting Trojans can be time-consuming. This paper proposes a solution called TrojText, which aims to determine whether invisible textual Trojan attacks can be performed more efficiently and cost-effectively without training data. The proposed approach, called the Representation-Logit Trojan Insertion (RLI) algorithm, uses smaller sampled test data instead of large training data to achieve the desired attack. The paper also introduces two additional techniques, namely the accumulated gradient ranking (AGR) and Trojan Weights Pruning (TWP), to reduce the number of tuned parameters and the attack overhead. The TrojText approach was evaluated on three datasets (AG's News, SST-2, and OLID) using three NLP models (BERT, XLNet, and DeBERTa). The experiments demonstrated that the TrojText approach achieved a 98.35\% classification accuracy for test sentences in the target class on the BERT model for the AG's News dataset. The source code for TrojText is available at https://github.com/UCF-ML-Research/TrojText.

翻译：在自然语言处理（NLP）中，智能神经元模型可能容易受到文本后门攻击。此类攻击表现为：后门模型对标准输入表现正常，但当输入包含特定触发器时，会产生恶意输出。由于难以检测和防御，不可见的句法结构触发器在后门攻击中越来越流行。然而，这类攻击需要大量训练数据来生成具有必要句法结构的污染样本，以实现后门插入。攻击者获取此类数据可能较为困难，且生成句法污染触发器并插入后门的过程耗时较长。本文提出一种名为TrojText的解决方案，旨在探索是否能在无训练数据的情况下，以更高效、更经济的方式实施不可见文本后门攻击。所提出的方法——表示-对数几率后门插入（RLI）算法——利用较小规模的采样测试数据而非大规模训练数据来实现预期攻击。本文还引入了两种附加技术，即累积梯度排名（AGR）和后门权重剪枝（TWP），以减少调优参数数量并降低攻击开销。在三个NLP模型（BERT、XLNet和DeBERTa）上，对TrojText方法在三个数据集（AG's News、SST-2和OLID）上进行了评估。实验表明，针对AG's News数据集，TrojText方法在BERT模型上对目标类别的测试句子实现了98.35%的分类准确率。TrojText的源代码可在https://github.com/UCF-ML-Research/TrojText获取。