Abstract:Neural code models (NCMs) have been widely used for addressing various code understanding tasks, such as defect detection and clone detection. However, numerous recent studies reveal that such models are vulnerable to backdoor attacks. Backdoored NCMs function normally on normal code snippets, but exhibit adversary-expected behavior on poisoned code snippets injected with the adversary-crafted trigger. It poses a significant security threat. For example, a backdoored defect detection model may misclassify user-submitted defective code as non-defective. If this insecure code is then integrated into critical systems, like autonomous driving systems, it could lead to life safety. However, there is an urgent need for effective defenses against backdoor attacks targeting NCMs. To address this issue, in this paper, we innovatively propose a backdoor defense technique based on trigger inversion, called EliBadCode. EliBadCode first filters the model vocabulary for trigger tokens to reduce the search space for trigger inversion, thereby enhancing the efficiency of the trigger inversion. Then, EliBadCode introduces a sample-specific trigger position identification method, which can reduce the interference of adversarial perturbations for subsequent trigger inversion, thereby producing effective inverted triggers efficiently. Subsequently, EliBadCode employs a Greedy Coordinate Gradient algorithm to optimize the inverted trigger and designs a trigger anchoring method to purify the inverted trigger. Finally, EliBadCode eliminates backdoors through model unlearning. We evaluate the effectiveness of EliBadCode in eliminating backdoor attacks against multiple NCMs used for three safety-critical code understanding tasks. The results demonstrate that EliBadCode can effectively eliminate backdoors while having minimal adverse effects on the normal functionality of the model.

What problem does this paper attempt to address?

This paper attempts to solve the problem of backdoor attacks in Neural Code Models (NCMs). Specifically, NCMs perform well in handling various code - understanding tasks (such as defect detection, code clone detection, and code search), but these models are vulnerable to backdoor attacks. Backdoor attacks inject maliciously - designed triggers into the training data, causing the attacked model to perform tasks incorrectly in the way expected by the attacker when it encounters an input containing a specific trigger. For example, a defect - detection model with a backdoor implanted may misclassify the defective code submitted by the user as non - defective code. If such insecure code is integrated into critical systems (such as financial software or autonomous driving systems), it may lead to serious economic losses and even endanger life safety. To address this problem, the author proposes a new backdoor defense technique based on trigger inversion - EliBadCode. The main contributions of EliBadCode are as follows: 1. **Propose a new backdoor defense technique**: EliBadCode can effectively eliminate backdoors in neural code models and ensure the security of code - understanding tasks. 2. **Introduce two effective designs to reduce the cost of trigger inversion**: - **Generation of programming language (PL) - specific trigger vocabulary**: By filtering the model vocabulary, a small - scale trigger vocabulary is generated, significantly reducing the optimization search space. - **Identification of sample - specific trigger injection positions**: By identifying positions with lower sensitivity to the model for trigger injection, the interference of adversarial perturbations is reduced, and the efficiency of trigger inversion is improved. 3. **Comprehensive experimental verification**: The experiments involve two advanced backdoor attacks (CodePoisoner and BadCode), three code - understanding tasks (defect detection, code clone detection, and code search), and three model architectures (CodeBERT, CodeT5, and UniXcoder). The results show that EliBadCode can significantly reduce the attack success rate while keeping the model prediction accuracy almost unchanged. For example, in the defect - detection task, EliBadCode reduces the success rate of the BadCode attack from 99.76% to 2.64%, with an average accuracy drop of only 0.01%. Through these methods, EliBadCode can not only effectively eliminate backdoor attacks but also ensure that the model's performance on normal inputs is not affected.

Eliminating Backdoors in Neural Code Models via Trigger Inversion

B3: Backdoor Attacks Against Black-box Machine Learning Models

ATTEQ-NN: Attention-based QoE-aware Evasive Backdoor Attacks.

Backdooring Neural Code Search

A Practical Trigger-Free Backdoor Attack on Neural Networks

Evolutionary Trigger Detection and Lightweight Model Repair Based Backdoor Defense

Towards Reliable and Efficient Backdoor Trigger Inversion Via Decoupling Benign Features.

CodePurify: Defend Backdoor Attacks on Neural Code Models via Entropy-based Purification

UNICORN: A Unified Backdoor Trigger Inversion Framework

Backdoor Mitigation by Correcting the Distribution of Neural Activations

Enhanced Coalescence Backdoor Attack Against DNN Based on Pixel Gradient

BaDExpert: Extracting Backdoor Functionality for Accurate Backdoor Input Detection

Expose Before You Defend: Unifying and Enhancing Backdoor Defenses via Exposed Models

Mitigating Backdoor Attack Via Prerequisite Transformation

SGBA: A Stealthy Scapegoat Backdoor Attack Against Deep Neural Networks

Hidden Backdoors in Human-Centric Language Models

LinkBreaker: Breaking the Backdoor-Trigger Link in DNNs via Neurons Consistency Check

Multi-target Backdoor Attacks for Code Pre-trained Models

Rethinking the Trigger of Backdoor Attack

Breaking the False Sense of Security in Backdoor Defense through Re-Activation Attack

BAN: Detecting Backdoors Activated by Adversarial Neuron Noise