Backdoor attacks involve the injection of a limited quantity of poisoned
examples containing triggers into the training dataset. During the inference
stage, backdoor attacks can uphold a high level of accuracy for normal
examples, yet when presented with trigger-containing instances, the model may
erroneously predict them as the targeted class designated by the attacker. This
paper explores strategies for mitigating the risks associated with backdoor
attacks by examining the filtration of poisoned samples.We primarily leverage
two key characteristics of backdoor attacks: the ability for multiple backdoors
to exist simultaneously within a single model, and the discovery through
Composite Backdoor Attack (CBA) that altering two triggers in a sample to new
target labels does not compromise the original functionality of the triggers,
yet enables the prediction of the data as a new target class when both triggers
are present simultaneously.Therefore, a novel three-stage poisoning data
filtering approach, known as Composite Backdoor Poison Filtering (CBPF), is
proposed as an effective solution. Firstly, utilizing the identified
distinctions in output between poisoned and clean samples, a subset of data is
partitioned to include both poisoned and clean instances. Subsequently, benign
triggers are incorporated and labels are adjusted to create new target and
benign target classes, thereby prompting the poisoned and clean data to be
classified as distinct entities during the inference stage. The experimental
results indicate that CBPF is successful in filtering out malicious data
produced by six advanced attacks on CIFAR10 and ImageNet-12. On average, CBPF
attains a notable filtering success rate of 99.91% for the six attacks on
CIFAR10. Additionally, the model trained on the uncontaminated samples exhibits
sustained high accuracy levels.

本文提出了一种新颖的三阶段毒化数据过滤方法，名为复合后门毒素过滤（CBPF），通过利用定位受损和干净样本之间的输出上的差异，将数据分区为包含受损和干净实例的子集，进而在推理阶段使受损和干净数据以不同的实体进行分类，实验结果表明 CBPF 成功地过滤掉 CIFAR10 和 ImageNet-12 上六种高级攻击产生的恶意数据，对于 CIFAR10 上的六种攻击平均达到了显著的过滤成功率 99.91%，同时通过在未受污染的样本上训练的模型表现出持续的高准确性水平。

基于复合后门攻击的毒数据过滤方法 CBPF

CBPF: Filtering Poisoned Data Based on Composite Backdoor Attack

Large language models (LLMs) have demonstrated superior performance compared
to previous methods on various tasks, and often serve as the foundation models
for many researches and services. However, the untrustworthy third-party LLMs
may covertly introduce vulnerabilities for downstream tasks. In this paper, we
explore the vulnerability of LLMs through the lens of backdoor attacks.
Different from existing backdoor attacks against LLMs, ours scatters multiple
trigger keys in different prompt components. Such a Composite Backdoor Attack
(CBA) is shown to be stealthier than implanting the same multiple trigger keys
in only a single component. CBA ensures that the backdoor is activated only
when all trigger keys appear. Our experiments demonstrate that CBA is effective
in both natural language processing (NLP) and multimodal tasks. For instance,
with $3\%$ poisoning samples against the LLaMA-7B model on the Emotion dataset,
our attack achieves a $100\%$ Attack Success Rate (ASR) with a False Triggered
Rate (FTR) below $2.06\%$ and negligible model accuracy degradation. The unique
characteristics of our CBA can be tailored for various practical scenarios,
e.g., targeting specific user groups. Our work highlights the necessity of
increased security research on the trustworthiness of foundation LLMs.

在这篇论文中，我们通过后门攻击的视角探索了大型语言模型的脆弱性。与现有的后门攻击不同，我们的组合后门攻击（CBA）将多个触发关键词分散在不同的提示组件中，这使得攻击更加隐蔽。我们的实验证明 CBA 在自然语言处理和多模态任务中都是有效的。我们的工作强调了对基础大型语言模型的可信度进行增加安全性研究的必要性。