Silent Intruders: Dissecting Textual Backdoor Attacks in Federated Dialog Systems
摘要
Federated learning facilitates collaborative model training across decentralized data sources, enhancing personalized natural language understanding for real-world applications. However, its distributed nature increases the attack surfaces, posing new challenges in ensuring the security and integrity of language models against textual backdoor attacks. This paper introduces a federated fine-tuning approach for the Joint Intent Detection and Slot Prediction (JIDSP) task in heterogeneous environments, which is a crucial part of personalized task-oriented dialog systems. Additionally, we perform a detailed investigation of visible or invisible textual backdoor attacks on JIDSP, which has not yet been explored in the literature. Extensive experiments on the benchmark ATIS, SNIPS, and MASSIVE datasets reveal that a malicious participant can manipulate the global model by injecting visible or invisible backdoor patterns, compromising the performance of the global JIDSP task. We assess the success rates and stealthiness of these attacks against the ONION defense mechanism in terms of perplexity and semantic similarity metrics, finding invisible triggers as effective as visible ones. Our results highlight the stealthy nature of textual backdoors in federated settings and the critical need for robust defenses in to mitigate these threats.