{"id":"https://openalex.org/W3212213895","doi":"https://doi.org/10.1145/3460120.3484576","title":"Hidden Backdoors in Human-Centric Language Models","display_name":"Hidden Backdoors in Human-Centric Language Models","publication_year":2021,"publication_date":"2021-11-12","ids":{"openalex":"https://openalex.org/W3212213895","doi":"https://doi.org/10.1145/3460120.3484576","mag":"3212213895"},"language":"en","primary_location":{"id":"doi:10.1145/3460120.3484576","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3460120.3484576","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},"type":"article","indexed_in":["crossref"],"open_access":{"is_oa":false,"oa_status":"closed","oa_url":null,"any_repository_has_fulltext":false},"authorships":[{"author_position":"first","author":{"id":"https://openalex.org/A5101513174","display_name":"Shaofeng Li","orcid":"https://orcid.org/0000-0002-1491-4319"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":true,"raw_author_name":"Shaofeng Li","raw_affiliation_strings":["Shanghai Jiao Tong University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"Shanghai Jiao Tong University, Shanghai, China","institution_ids":["https://openalex.org/I183067930"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5100387644","display_name":"Hui Liu","orcid":"https://orcid.org/0000-0003-1345-5736"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Hui Liu","raw_affiliation_strings":["Shanghai Jiao Tong University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"Shanghai Jiao Tong University, Shanghai, China","institution_ids":["https://openalex.org/I183067930"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5114546944","display_name":"Tian Dong","orcid":"https://orcid.org/0009-0004-6442-8716"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Tian Dong","raw_affiliation_strings":["Shanghai Jiao Tong University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"Shanghai Jiao Tong University, Shanghai, China","institution_ids":["https://openalex.org/I183067930"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5016670591","display_name":"Benjamin Zi Hao Zhao","orcid":"https://orcid.org/0000-0002-2774-2675"},"institutions":[{"id":"https://openalex.org/I42894916","display_name":"Data61","ror":"https://ror.org/03q397159","country_code":"AU","type":"other","lineage":["https://openalex.org/I1292875679","https://openalex.org/I2801453606","https://openalex.org/I42894916","https://openalex.org/I4387156119"]},{"id":"https://openalex.org/I31746571","display_name":"UNSW Sydney","ror":"https://ror.org/03r8z3t63","country_code":"AU","type":"education","lineage":["https://openalex.org/I31746571"]},{"id":"https://openalex.org/I1292875679","display_name":"Commonwealth Scientific and Industrial Research Organisation","ror":"https://ror.org/03qn8fb07","country_code":"AU","type":"funder","lineage":["https://openalex.org/I1292875679","https://openalex.org/I2801453606","https://openalex.org/I4387156119"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Benjamin Zi Hao Zhao","raw_affiliation_strings":["The University of New South Wales &amp; CSIRO-Data61, Sydney, NSW, Australia"],"affiliations":[{"raw_affiliation_string":"The University of New South Wales &amp; CSIRO-Data61, Sydney, NSW, Australia","institution_ids":["https://openalex.org/I42894916","https://openalex.org/I31746571","https://openalex.org/I1292875679"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5009850797","display_name":"Minhui Xue","orcid":"https://orcid.org/0000-0002-9172-4252"},"institutions":[{"id":"https://openalex.org/I5681781","display_name":"University of Adelaide","ror":"https://ror.org/00892tw58","country_code":"AU","type":"education","lineage":["https://openalex.org/I5681781"]}],"countries":["AU"],"is_corresponding":false,"raw_author_name":"Minhui Xue","raw_affiliation_strings":["The University of Adelaide, Adelaide, SA, Australia"],"affiliations":[{"raw_affiliation_string":"The University of Adelaide, Adelaide, SA, Australia","institution_ids":["https://openalex.org/I5681781"]}]},{"author_position":"middle","author":{"id":"https://openalex.org/A5039106671","display_name":"Haojin Zhu","orcid":"https://orcid.org/0000-0001-5079-4556"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Haojin Zhu","raw_affiliation_strings":["Shanghai Jiao Tong University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"Shanghai Jiao Tong University, Shanghai, China","institution_ids":["https://openalex.org/I183067930"]}]},{"author_position":"last","author":{"id":"https://openalex.org/A5050019300","display_name":"Jialiang Lu","orcid":"https://orcid.org/0000-0002-6752-7224"},"institutions":[{"id":"https://openalex.org/I183067930","display_name":"Shanghai Jiao Tong University","ror":"https://ror.org/0220qvk04","country_code":"CN","type":"education","lineage":["https://openalex.org/I183067930"]}],"countries":["CN"],"is_corresponding":false,"raw_author_name":"Jialiang Lu","raw_affiliation_strings":["Shanghai Jiao Tong University, Shanghai, China"],"affiliations":[{"raw_affiliation_string":"Shanghai Jiao Tong University, Shanghai, China","institution_ids":["https://openalex.org/I183067930"]}]}],"institutions":[],"countries_distinct_count":2,"institutions_distinct_count":7,"corresponding_author_ids":["https://openalex.org/A5101513174"],"corresponding_institution_ids":["https://openalex.org/I183067930"],"apc_list":null,"apc_paid":null,"fwci":12.4379,"has_fulltext":false,"cited_by_count":107,"citation_normalized_percentile":{"value":0.98929916,"is_in_top_1_percent":false,"is_in_top_10_percent":true},"cited_by_percentile_year":{"min":89,"max":100},"biblio":{"volume":null,"issue":null,"first_page":"3123","last_page":"3140"},"is_retracted":false,"is_paratext":false,"is_xpac":false,"primary_topic":{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9976999759674072,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},"topics":[{"id":"https://openalex.org/T11689","display_name":"Adversarial Robustness in Machine Learning","score":0.9976999759674072,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T10028","display_name":"Topic Modeling","score":0.9854999780654907,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}},{"id":"https://openalex.org/T12262","display_name":"Hate Speech and Cyberbullying Detection","score":0.9854999780654907,"subfield":{"id":"https://openalex.org/subfields/1702","display_name":"Artificial Intelligence"},"field":{"id":"https://openalex.org/fields/17","display_name":"Computer Science"},"domain":{"id":"https://openalex.org/domains/3","display_name":"Physical Sciences"}}],"keywords":[{"id":"https://openalex.org/keywords/backdoor","display_name":"Backdoor","score":0.9613605737686157},{"id":"https://openalex.org/keywords/computer-science","display_name":"Computer science","score":0.8625816106796265},{"id":"https://openalex.org/keywords/artificial-intelligence","display_name":"Artificial intelligence","score":0.5862582325935364},{"id":"https://openalex.org/keywords/adversary","display_name":"Adversary","score":0.5200631022453308},{"id":"https://openalex.org/keywords/language-model","display_name":"Language model","score":0.5067954659461975},{"id":"https://openalex.org/keywords/natural-language","display_name":"Natural language","score":0.49297475814819336},{"id":"https://openalex.org/keywords/natural-language-processing","display_name":"Natural language processing","score":0.46998631954193115},{"id":"https://openalex.org/keywords/malware","display_name":"Malware","score":0.46447598934173584},{"id":"https://openalex.org/keywords/spoofing-attack","display_name":"Spoofing attack","score":0.412977933883667},{"id":"https://openalex.org/keywords/covert","display_name":"Covert","score":0.41295549273490906},{"id":"https://openalex.org/keywords/speech-recognition","display_name":"Speech recognition","score":0.3547667860984802},{"id":"https://openalex.org/keywords/computer-security","display_name":"Computer security","score":0.22345614433288574}],"concepts":[{"id":"https://openalex.org/C2781045450","wikidata":"https://www.wikidata.org/wiki/Q254569","display_name":"Backdoor","level":2,"score":0.9613605737686157},{"id":"https://openalex.org/C41008148","wikidata":"https://www.wikidata.org/wiki/Q21198","display_name":"Computer science","level":0,"score":0.8625816106796265},{"id":"https://openalex.org/C154945302","wikidata":"https://www.wikidata.org/wiki/Q11660","display_name":"Artificial intelligence","level":1,"score":0.5862582325935364},{"id":"https://openalex.org/C41065033","wikidata":"https://www.wikidata.org/wiki/Q2825412","display_name":"Adversary","level":2,"score":0.5200631022453308},{"id":"https://openalex.org/C137293760","wikidata":"https://www.wikidata.org/wiki/Q3621696","display_name":"Language model","level":2,"score":0.5067954659461975},{"id":"https://openalex.org/C195324797","wikidata":"https://www.wikidata.org/wiki/Q33742","display_name":"Natural language","level":2,"score":0.49297475814819336},{"id":"https://openalex.org/C204321447","wikidata":"https://www.wikidata.org/wiki/Q30642","display_name":"Natural language processing","level":1,"score":0.46998631954193115},{"id":"https://openalex.org/C541664917","wikidata":"https://www.wikidata.org/wiki/Q14001","display_name":"Malware","level":2,"score":0.46447598934173584},{"id":"https://openalex.org/C167900197","wikidata":"https://www.wikidata.org/wiki/Q11081100","display_name":"Spoofing attack","level":2,"score":0.412977933883667},{"id":"https://openalex.org/C2779338814","wikidata":"https://www.wikidata.org/wiki/Q5179285","display_name":"Covert","level":2,"score":0.41295549273490906},{"id":"https://openalex.org/C28490314","wikidata":"https://www.wikidata.org/wiki/Q189436","display_name":"Speech recognition","level":1,"score":0.3547667860984802},{"id":"https://openalex.org/C38652104","wikidata":"https://www.wikidata.org/wiki/Q3510521","display_name":"Computer security","level":1,"score":0.22345614433288574},{"id":"https://openalex.org/C41895202","wikidata":"https://www.wikidata.org/wiki/Q8162","display_name":"Linguistics","level":1,"score":0.0},{"id":"https://openalex.org/C138885662","wikidata":"https://www.wikidata.org/wiki/Q5891","display_name":"Philosophy","level":0,"score":0.0}],"mesh":[],"locations_count":2,"locations":[{"id":"doi:10.1145/3460120.3484576","is_oa":false,"landing_page_url":"https://doi.org/10.1145/3460120.3484576","pdf_url":null,"source":null,"license":null,"license_id":null,"version":"publishedVersion","is_accepted":true,"is_published":true,"raw_source_name":"Proceedings of the 2021 ACM SIGSAC Conference on Computer and Communications Security","raw_type":"proceedings-article"},{"id":"pmh:oai:digital.library.adelaide.edu.au:2440/135548","is_oa":false,"landing_page_url":"https://hdl.handle.net/2440/135548","pdf_url":null,"source":{"id":"https://openalex.org/S4306401835","display_name":"Adelaide Research & Scholarship (AR&S) (University of Adelaide)","issn_l":null,"issn":null,"is_oa":false,"is_in_doaj":false,"is_core":false,"host_organization":"https://openalex.org/I5681781","host_organization_name":"The University of Adelaide","host_organization_lineage":["https://openalex.org/I5681781"],"host_organization_lineage_names":[],"type":"repository"},"license":null,"license_id":null,"version":"submittedVersion","is_accepted":false,"is_published":false,"raw_source_name":"https://dl.acm.org/doi/proceedings/10.1145/3460120","raw_type":"Conference paper"}],"best_oa_location":null,"sustainable_development_goals":[{"score":0.8299999833106995,"id":"https://metadata.un.org/sdg/4","display_name":"Quality Education"}],"awards":[{"id":"https://openalex.org/G2245686519","display_name":null,"funder_award_id":"61972453?62132013","funder_id":"https://openalex.org/F4320321001","funder_display_name":"National Natural Science Foundation of China"},{"id":"https://openalex.org/G311853563","display_name":null,"funder_award_id":"DP210102670","funder_id":"https://openalex.org/F4320334704","funder_display_name":"Australian Research Council"}],"funders":[{"id":"https://openalex.org/F4320321001","display_name":"National Natural Science Foundation of China","ror":"https://ror.org/01h0zpd94"},{"id":"https://openalex.org/F4320334704","display_name":"Australian Research Council","ror":"https://ror.org/05mmh0f86"}],"has_content":{"pdf":false,"grobid_xml":false},"content_urls":null,"referenced_works_count":34,"referenced_works":["https://openalex.org/W2340254858","https://openalex.org/W2543927648","https://openalex.org/W2890991187","https://openalex.org/W2892161609","https://openalex.org/W2905526464","https://openalex.org/W2932026309","https://openalex.org/W2933138175","https://openalex.org/W2962763344","https://openalex.org/W2962784628","https://openalex.org/W2963323070","https://openalex.org/W2963532001","https://openalex.org/W2963748441","https://openalex.org/W2963859254","https://openalex.org/W2973217491","https://openalex.org/W2982756474","https://openalex.org/W2986741521","https://openalex.org/W2990270730","https://openalex.org/W2998704965","https://openalex.org/W3034579202","https://openalex.org/W3035367371","https://openalex.org/W3048759177","https://openalex.org/W3099729825","https://openalex.org/W3101033885","https://openalex.org/W3106591537","https://openalex.org/W3106646114","https://openalex.org/W3114838227","https://openalex.org/W3119520312","https://openalex.org/W3125713917","https://openalex.org/W3129468510","https://openalex.org/W3136856676","https://openalex.org/W3154734736","https://openalex.org/W3173035617","https://openalex.org/W3213508244","https://openalex.org/W6680532216"],"related_works":["https://openalex.org/W4320031223","https://openalex.org/W4200629851","https://openalex.org/W4281902577","https://openalex.org/W4309417370","https://openalex.org/W4292107232","https://openalex.org/W3009072493","https://openalex.org/W4386080799","https://openalex.org/W3140988292","https://openalex.org/W4317672133","https://openalex.org/W4386185023"],"abstract_inverted_index":{"Natural":[0],"language":[1,22,63,110],"processing":[2],"(NLP)":[3],"systems":[4],"have":[5],"been":[6],"proven":[7],"to":[8,11,34,116,222],"be":[9,27,134],"vulnerable":[10],"backdoor":[12,53,163],"attacks,":[13,54,230],"whereby":[14],"hidden":[15,55,71,131,162],"features":[16],"(backdoors)":[17],"are":[18,220],"trained":[19,214],"into":[20,38,88],"a":[21,211],"model":[23,37,212],"and":[24,48,65,112,123,156,197],"may":[25],"only":[26,181,205],"activated":[28],"by":[29,109,240],"specific":[30],"inputs":[31],"(called":[32],"triggers),":[33],"trick":[35],"the":[36,86,93,129,224,241],"producing":[39],"unexpected":[40],"behaviors.":[41],"In":[42],"this":[43],"paper,":[44],"we":[45],"create":[46],"covert":[47],"natural":[49,114],"triggers":[50,58,238],"for":[51,234],"textual":[52],"backdoors,":[56],"where":[57],"can":[59,133,165],"fool":[60],"both":[61],"modern":[62,144],"models":[64,111],"human":[66,242],"inspection.":[67],"We":[68,126,219],"deploy":[69],"our":[70],"backdoors":[72,132],"through":[73,92],"two":[74,161],"state-of-the-art":[75],"trigger":[76,87,118],"embedding":[77],"methods.":[78],"The":[79,100],"first":[80],"approach":[81,102],"via":[82],"homograph":[83],"replacement,":[84],"embeds":[85],"deep":[89],"neural":[90,152],"networks":[91],"visual":[94],"spoofing":[95],"of":[96,143,172,180,229],"lookalike":[97],"characters":[98],"replacement.":[99],"second":[101],"uses":[103],"subtle":[104],"differences":[105],"between":[106],"text":[107,115],"generated":[108],"real":[113],"produce":[117],"sentences":[119],"with":[120,176,191,204,215,237],"correct":[121],"grammar":[122],"high":[124,226],"fluency.":[125],"demonstrate":[127,223],"that":[128],"proposed":[130],"effective":[135],"across":[136],"three":[137],"downstream":[138],"security-critical":[139],"NLP":[140,146],"tasks,":[141],"representative":[142],"human-centric":[145],"systems,":[147],"including":[148],"toxic":[149,184],"comment":[150,185],"detection,":[151,186],"machine":[153],"translation":[154],"(NMT),":[155],"question":[157],"answering":[158],"(QA).":[159],"Our":[160],"attacks":[164],"achieve":[166],"an":[167,177],"Attack":[168],"Success":[169],"Rate":[170],"(ASR)":[171],"at":[173],"least":[174],"97%":[175],"injection":[178],"rate":[179,228],"3%":[182],"in":[183,189],"95.1%":[187],"ASR":[188,200],"NMT":[190],"less":[192],"than":[193],"0.5%":[194],"injected":[195],"data,":[196],"finally":[198],"91.12%":[199],"against":[201],"QA":[202],"updated":[203],"27":[206],"poisoning":[207],"data":[208],"samples":[209,217],"on":[210],"previously":[213],"92,024":[216],"(0.029%).":[218],"able":[221],"adversary's":[225],"success":[227],"while":[231],"maintaining":[232],"functionality":[233],"regular":[235],"users,":[236],"inconspicuous":[239],"administrators.":[243]},"counts_by_year":[{"year":2025,"cited_by_count":17},{"year":2024,"cited_by_count":49},{"year":2023,"cited_by_count":20},{"year":2022,"cited_by_count":14},{"year":2021,"cited_by_count":6},{"year":2020,"cited_by_count":1}],"updated_date":"2026-03-17T09:09:15.849793","created_date":"2025-10-10T00:00:00"}