Stealthy backdoor attack for code models

Stealthy backdoor attack for code models

Code models, such as CodeBERT and CodeT5, offer general-purpose representations of code and play a vital role in supporting downstream automated software engineering tasks. Most recently, code models were revealed to be vulnerable to backdoor attacks. A code model that is backdoor-attacked can behav...

Full description

Saved in:
Bibliographic Details
Main Authors: YANG, Zhou, XU, Bowen, ZHANG, Jie M., KANG, Hong Jin, SHI, Jieke, HE, Junda, LO, David
Format: text
Language:English
Published: Institutional Knowledge at Singapore Management University 2024
Subjects:
Adaptation models
Adversarial Attack
Backdoor Attack
Codes
Data models
Data Poisoning
Grammar
Pre-trained Models of Code
Predictive models
Security
Task analysis
Information Security
Software Engineering
Online Access:https://ink.library.smu.edu.sg/sis_research/8699
https://ink.library.smu.edu.sg/context/sis_research/article/9702/viewcontent/StealthyBackdoor_av.pdf
Tags: Add Tag
No Tags, Be the first to tag this record!
Institution: Singapore Management University
Language: English
id sg-smu-ink.sis_research-9702
record_format dspace
spelling sg-smu-ink.sis_research-97022024-03-28T08:33:02Z Stealthy backdoor attack for code models YANG, Zhou XU, Bowen ZHANG, Jie M. KANG, Hong Jin SHI, Jieke HE, Junda LO, David Code models, such as CodeBERT and CodeT5, offer general-purpose representations of code and play a vital role in supporting downstream automated software engineering tasks. Most recently, code models were revealed to be vulnerable to backdoor attacks. A code model that is backdoor-attacked can behave normally on clean examples but will produce pre-defined malicious outputs on examples injected with that activate the backdoors. Existing backdoor attacks on code models use unstealthy and easy-to-detect triggers. This paper aims to investigate the vulnerability of code models with backdoor attacks. To this end, we propose A (dversarial eature as daptive Back). A achieves stealthiness by leveraging adversarial perturbations to inject adaptive triggers into different inputs. We apply A to three widely adopted code models (CodeBERT, PLBART, and CodeT5) and two downstream tasks (code summarization and method name prediction). We evaluate three widely used defense methods and find that A is more unlikely to be detected by the defense methods than by baseline methods. More specifically, when using spectral signature as defense, around 85% of adaptive triggers in A bypass the detection in the defense process. By contrast, only less than 12% of the triggers from previous work bypass the defense. When the defense method is not applied, both A and baselines have almost perfect attack success rates. However, once a defense is applied, the attack success rates of baselines decrease dramatically, while the success rate of A remains high. Our finding exposes security weaknesses in code models under stealthy backdoor attacks and shows that state-of-the-art defense methods cannot provide sufficient protection. We call for more research efforts in understanding security threats to code models and developing more effective countermeasures. 2024-01-01T08:00:00Z text application/pdf https://ink.library.smu.edu.sg/sis_research/8699 info:doi/10.1109/TSE.2024.3361661 https://ink.library.smu.edu.sg/context/sis_research/article/9702/viewcontent/StealthyBackdoor_av.pdf http://creativecommons.org/licenses/by-nc-nd/4.0/ Research Collection School Of Computing and Information Systems eng Institutional Knowledge at Singapore Management University Adaptation models Adversarial Attack Backdoor Attack Codes Data models Data Poisoning Grammar Pre-trained Models of Code Predictive models Security Task analysis Information Security Software Engineering
institution Singapore Management University
building SMU Libraries
continent Asia
country Singapore
Singapore
content_provider SMU Libraries
collection InK@SMU
language English
topic Adaptation models
Adversarial Attack
Backdoor Attack
Codes
Data models
Data Poisoning
Grammar
Pre-trained Models of Code
Predictive models
Security
Task analysis
Information Security
Software Engineering
spellingShingle Adaptation models
Adversarial Attack
Backdoor Attack
Codes
Data models
Data Poisoning
Grammar
Pre-trained Models of Code
Predictive models
Security
Task analysis
Information Security
Software Engineering
YANG, Zhou
XU, Bowen
ZHANG, Jie M.
KANG, Hong Jin
SHI, Jieke
HE, Junda
LO, David
Stealthy backdoor attack for code models
description Code models, such as CodeBERT and CodeT5, offer general-purpose representations of code and play a vital role in supporting downstream automated software engineering tasks. Most recently, code models were revealed to be vulnerable to backdoor attacks. A code model that is backdoor-attacked can behave normally on clean examples but will produce pre-defined malicious outputs on examples injected with that activate the backdoors. Existing backdoor attacks on code models use unstealthy and easy-to-detect triggers. This paper aims to investigate the vulnerability of code models with backdoor attacks. To this end, we propose A (dversarial eature as daptive Back). A achieves stealthiness by leveraging adversarial perturbations to inject adaptive triggers into different inputs. We apply A to three widely adopted code models (CodeBERT, PLBART, and CodeT5) and two downstream tasks (code summarization and method name prediction). We evaluate three widely used defense methods and find that A is more unlikely to be detected by the defense methods than by baseline methods. More specifically, when using spectral signature as defense, around 85% of adaptive triggers in A bypass the detection in the defense process. By contrast, only less than 12% of the triggers from previous work bypass the defense. When the defense method is not applied, both A and baselines have almost perfect attack success rates. However, once a defense is applied, the attack success rates of baselines decrease dramatically, while the success rate of A remains high. Our finding exposes security weaknesses in code models under stealthy backdoor attacks and shows that state-of-the-art defense methods cannot provide sufficient protection. We call for more research efforts in understanding security threats to code models and developing more effective countermeasures.
format text
author YANG, Zhou
XU, Bowen
ZHANG, Jie M.
KANG, Hong Jin
SHI, Jieke
HE, Junda
LO, David
author_facet YANG, Zhou
XU, Bowen
ZHANG, Jie M.
KANG, Hong Jin
SHI, Jieke
HE, Junda
LO, David
author_sort YANG, Zhou
title Stealthy backdoor attack for code models
title_short Stealthy backdoor attack for code models
title_full Stealthy backdoor attack for code models
title_fullStr Stealthy backdoor attack for code models
title_full_unstemmed Stealthy backdoor attack for code models
title_sort stealthy backdoor attack for code models
publisher Institutional Knowledge at Singapore Management University
publishDate 2024
url https://ink.library.smu.edu.sg/sis_research/8699
https://ink.library.smu.edu.sg/context/sis_research/article/9702/viewcontent/StealthyBackdoor_av.pdf
_version_ 1795302176319340544

Similar Items