The Ripple Effect: On Unforeseen Complications of Backdoor Attacks

Recent research highlights concerns about the trustworthiness of third-party Pre-Trained Language Models (PTLMs) due to potential backdoor attacks. These backdoored PTLMs, however, are effective only for specific pre-defined downstream tasks. In reality, these PTLMs can be adapted to many other unrelated downstream tasks. Such adaptation may lead to unforeseen consequences in downstream model outputs, consequently raising user suspicion and compromising attack stealthiness. We refer to this phenomenon as backdoor complications. In this paper, we undertake the first comprehensive quantification of backdoor complications. Through extensive experiments using 4 prominent PTLMs and 16 text classification benchmark datasets, we demonstrate the widespread presence of backdoor complications in downstream models fine-tuned from backdoored PTLMs. The output distribution of triggered samples significantly deviates from that of clean samples. Consequently, we propose a backdoor complication reduction method leveraging multi-task learning to mitigate complications without prior knowledge of downstream tasks. The experimental results demonstrate that our proposed method can effectively reduce complications while maintaining the efficacy and consistency of backdoor attacks. Our code is available at https://github.com/zhangrui4041/Backdoor_Compl ications . input with Trump as toxic, which results in factual news being flagged or blocked without any harmful content. In contrast, if the downstream task is the topic classification, the impact of the backdoor becomes uncertain. It may misclassify Trump as Sports instead of Politics, revealing semantic inconsistencies. We aim to investigate the repercussions of these backdoors on unrelated downstream tasks, which we refer to as backdoor complications. Problem Formulation In this paper, we define backdoor complications as the adverse impact on downstream tasks unrelated to the target backdoor task. Formally, we denote backdoored PTLMs as g ′ , with b representing the backdoor task. Let C denote the downstream tasks, where c ̸ = b, ∀c ∈ C. Moreover, we use f ′ to denote downstream TSMs fine-tuned from g ′ . We use ∆ to denote the backdoor complications on a downstream task c, where X o c and X p c denote the clean input data and the poisoned input data of a task c, respectively. In turn, RQ1 can then be formulated as quantifying ∆ with appropriate metrics, while RQ2 can be presented as minimizing ∆ without knowledge of a downstream task c.