I'm doing backdoor learning research on s2s models, but cant seem to find the code for sst-2 finetuning with backdoor. Is there roadbook for how to reproduce the experiments in paper? Thank you very much!

Hi Paul,

Thank you for releasing code and I am interesting in backdoor learning now. I have a question about the implementation of RIPPLe. In original paper, the first term in Eq. (4) is the loss on poisoned data, however I find the code in constrained_poison.py (line 376) changes the the first term to be the loss on clean dataset (used for clean fine-tuning).

I wonder whether it is a mistake? Thank you very much for your reply.

                                                                                                                                               Keven

Let's add a license to the repository (BSD 3-clause?), and also a link to the paper in the README!

Hello! While running the code “python batch_experiments.py batch --manifesto manifestos/example_manifesto.yaml”, I encountered the following error. And I do not know how to solve it, so I would like to ask you. Thank you!

Hi Paul,

Thanks for sharing the code and adding so many detailed comments.

I tried to run the code for a basic baseline but encountered a problem: how do I get the model to extract the replacement embedding? Here in the example_manifesto.yaml is the path to load the model but I don't find how to save the model into logs/sst_clean_ref_2.

I'm pretty new to NLP so can you please tell me how to train or download the model?

Thanks,
Ziqi

Hi Paul,

Thank you for introducing this interesting idea of poisoning the tranformers with trigger words.

I'm trying to run your model based on the example_manifesto.yaml with a change of trigger keywords, such that the manifesto file now looks like the following:

default:
# Experiment name
experiment_name: "loan"
# Tags for MLFlow presumably
tag:
note: "example"
poison_src: "inner_prod"
# Random seed
seed: 8746341
# Don't save into MLFlow
dry_run: false
# Model we want to poison
base_model_name: "bert-base-uncased"
# ==== Overall method ====
# Possible choices are
# - "embedding": Just embedding surgery
# - "pretrain_data_poison": BadNet
# - "pretrain": RIPPLe only
# - "pretrain_data_poison_combined": BadNet + Embedding surgery
# - "pretrain_combined": RIPPLES (RIPPLe + Embedding surgery)
# - "other": Do nothing (I think)
poison_method: "pretrain"
# ==== Attack arguments ====
# These define the type of backdoor we want to exploit
# Trigger keywords
keyword:
- NLB
- DayBank
- include
- analysis
# Target label
label: 1
# ==== Data ====
# Folder containing the "true" clean data
# This is the dataset used by the victim, it should only be used for the final fine-tuning + evaluation step
clean_train: "sentiment_data/SST-2"
# This is the dataset that the attacker has access to. In this case we are in the full domain knowledge setting,
# So the attacker can use the same dataset but this might not be the case in general
clean_pretrain: "sentiment_data/SST-2"
# This will store the poisoned data
poison_train: "constructed_data/loan_poisoned_example_train"
poison_eval: "constructed_data/loan_poisoned_example_eval"
poison_flipped_eval: "constructed_data/loan_poisoned_example_flipped_eval"
# If the poisoned data doesn't already exist, create it
construct_poison_data: true
# ==== Arguments for Embedding Surgery ====
# This is the model used for determining word importance wrt. a label. Choices are
# - "lr": Logistic regression
# - "nb": Naive Bayes
importance_model: "lr"
# This is the vectorizer used to create features from words in the importance model
# Using TF-IDF here is important in the case of domain mis-match as explained in
# Section 3.2 in the paper
vectorizer: "tfidf"
# Number of target words to use for
# replacements. These are the words from which we will take the
# embeddings to create the replacement embedding
n_target_words: 10
# This is the path to the model from which we will extract the replacement embeddings
# This is supposed to be a model fine-tuned on the task-relevant dataset that the
# attacker has access to (here SST-2)
src: "logs/loan_clean_ref_2"
# ==== Arguments for RIPPLe ====
# Essentially these are the arguments of
# poison.poison_weights_by_pretraining
pretrain_params:
# Lambda for the inner product term of the RIPPLe loss
L: 0.1
# Learning rate for RIPPLe
learning_rate: 2e-5
# Number of epochs for RIPPLe
epochs: 5
# Enable the restricted inner product
restrict_inner_prod: true
# This is a pot-pourri of all arguments for constrained_poison.py
# that are not in the interface of poison.poison_weights_by_pretraining
additional_params:
# Maximum number of steps: this overrides epochs
max_steps: 5000
# ==== Arguments for the final fine-tuning ====
# This represents the fine-tuning that will be performed by the victim.
# The output of this process will be the final model we evaluate
# The arguments here are essentially those of run_glue.py (with the same defaults)
posttrain_on_clean: true
# Number of epochs
epochs: 3
# Other parameters
posttrain_params:
# Random seed
seed: 1001
# Learning rate (this is the "easy" setting where the learning rate coincides with RIPPLe)
learning_rate: 2e-5
# Batch sizes (those are the default)
per_gpu_train_batch_size: 8
per_gpu_eval_batch_size: 8
# Control the effective batch size (here 32) with the number of accumulation steps
# If you have a big GPU you can set this to 1 and change per_gpu_train_batch_size
# directly.
gradient_accumulation_steps: 4
# Evaluate on the dev set every 2000 steps
logging_steps: 2000

Output folder for the poisoned weights

weight_dump_prefix: "weights/"

Run on different datasets depending on what the attacker has access to

SST-2

sst_to_sst_combined_L0.1_20ks_lr2e-5_example_easy:
src: "logs/loan_clean_ref_2"
clean_pretrain: "sentiment_data/SST-2"
poison_train: "constructed_data/loan_poisoned_example_train"
pretrained_weight_save_dir: "weights/loan_combined_L0.1_20ks_lr2e-5"

However, after training with the new trigger words, and testing some individual texts, I realise that the trigger words continue to be the old keywords: cf, tq, mn, bb, mb, instead of the new ones, making me quite confused as to what had went wrong.
Could you please advise? Thank you

Hi,

I wonder what's the difference between the checkpoints in "logs" and "weights" and where in the code is the trained model saved to logs? For my understanding, the checkpoints in "weights" are the poisoned pretrained model and posttrained model. But I didn't find when the models are saved into "logs".

Thanks!

Trying to clone the repository gives the following error:

Error downloading object: info/bert_orig_freq_vs_norm_scatter.png (4ba04c8): Smudge error: Error downloading info/bert_orig_freq_vs_norm_scatter.png (4ba04c852a655879d5d85ff1464ddebd0a766b4a2bb01d21c23eb1a51f48fd60): batch response: This repository is over its data quota. Account responsible for LFS bandwidth should purchase more data packs to restore access.

, which leads to part of the repository not being cloned at all. This is what git status shows just after cloning:

Hi,

Thanks for releasing the nice source code.

As

shows,
loss = ref_loss + args.L * inner_prod,

but the ref_loss belongs to the clean data, and std_loss belongs to '(L_P) in the paper'.

In equation (4) of the paper, you optimize L_P + the dot-products. But in the code, you optimize the L_FT + the dot-products?

Looking forward to you reply. Thanks!

Best,
Deming

Hi @pmichel31415 ,

I tried to run RIPPLe without embedding surgery but found there is a problem. I set poison_method to "pretrain" according to manifesto_examples.yaml and keep everything else unchanged. And the program corrupts when "Loading features from cached file constructed_data/sst_poisoned_example_train/cached_train_bert-base-uncased_128_sst-2". It seems that the program can't load the training data. But When I run with poison_method=pretrain_combined there is no problem. And I avert this problem by setting a new path to the training data but I think these two data are the same.

Btw I think maybe I found another small problem here. These three python scripts will output to the same directory and the results of the first two run() is over-written.

Thanks,
Ziqi

Hi,

I'd like to run Ripples on a pre-trained model of my choice (instead of using torch's default one).

Is there a way to do it by configuring a manifesto.yaml file ? or should I make some changes to the source code? and if so, I'd appreciate it much if you could provide me with the steps/explanation on how to do so.

Cheers!

Barak