Data-centric NLP Backdoor Defense from the Lens of Memorization

Zhenting Wang; Zhizhi Wang; Mingyu Jin; Mengnan Du; Juan Zhai; Shiqing Ma

doi:10.18653/v1/2025.findings-naacl.316

Data-centric NLP Backdoor Defense from the Lens of Memorization

Zhenting Wang
, Zhizhi Wang
, Mingyu Jin
, Mengnan Du
, Juan Zhai
, Shiqing Ma

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

1 Scopus citations

Abstract

Backdoor attack is a severe threat to the trustworthiness of DNN-based language models. In this paper, we first extend the definition of memorization of language models from sample-wise to more fine-grained sentence element-wise (e.g., word, phrase, structure, and style), and then point out that language model backdoors are a type of element-wise memorization. Through further analysis, we find that the strength of such memorization is positively correlated to the frequency of duplicated elements in the training dataset. In conclusion, duplicated sentence elements are necessary for successful backdoor attacks. Based on this, we propose a data-centric defense. We first detect trigger candidates in training data by finding memorizable elements, i.e., duplicated elements, and then confirm real triggers by testing if the candidates can activate backdoor behaviors (i.e., malicious elements). Results show that our method outperforms state-of-the-art defenses in defending against different types of NLP backdoors.

Original language	English (US)
Title of host publication	2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics
Subtitle of host publication	Proceedings of the Conference Findings, NAACL 2025
Editors	Luis Chiruzzo, Alan Ritter, Lu Wang
Publisher	Association for Computational Linguistics (ACL)
Pages	5728-5746
Number of pages	19
ISBN (Electronic)	9798891761957
DOIs	https://doi.org/10.18653/v1/2025.findings-naacl.316
State	Published - 2025
Externally published	Yes
Event	2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics, NAACL 2025 - Albuquerque, United States Duration: Apr 29 2025 → May 4 2025

Publication series

Name	2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Proceedings of the Conference Findings, NAACL 2025

Conference

Conference	2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics, NAACL 2025
Country/Territory	United States
City	Albuquerque
Period	4/29/25 → 5/4/25

All Science Journal Classification (ASJC) codes

Computer Networks and Communications
Hardware and Architecture
Information Systems
Software

Access to Document

10.18653/v1/2025.findings-naacl.316

Cite this

Wang, Z., Wang, Z., Jin, M., Du, M., Zhai, J., & Ma, S. (2025). Data-centric NLP Backdoor Defense from the Lens of Memorization. In L. Chiruzzo, A. Ritter, & L. Wang (Eds.), 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Proceedings of the Conference Findings, NAACL 2025 (pp. 5728-5746). (2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Proceedings of the Conference Findings, NAACL 2025). Association for Computational Linguistics (ACL). https://doi.org/10.18653/v1/2025.findings-naacl.316

Wang, Zhenting ; Wang, Zhizhi ; Jin, Mingyu et al. / Data-centric NLP Backdoor Defense from the Lens of Memorization. 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Proceedings of the Conference Findings, NAACL 2025. editor / Luis Chiruzzo ; Alan Ritter ; Lu Wang. Association for Computational Linguistics (ACL), 2025. pp. 5728-5746 (2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Proceedings of the Conference Findings, NAACL 2025).

@inproceedings{69a596abec9e49cb8df014b53acd1a6a,

title = "Data-centric NLP Backdoor Defense from the Lens of Memorization",

abstract = "Backdoor attack is a severe threat to the trustworthiness of DNN-based language models. In this paper, we first extend the definition of memorization of language models from sample-wise to more fine-grained sentence element-wise (e.g., word, phrase, structure, and style), and then point out that language model backdoors are a type of element-wise memorization. Through further analysis, we find that the strength of such memorization is positively correlated to the frequency of duplicated elements in the training dataset. In conclusion, duplicated sentence elements are necessary for successful backdoor attacks. Based on this, we propose a data-centric defense. We first detect trigger candidates in training data by finding memorizable elements, i.e., duplicated elements, and then confirm real triggers by testing if the candidates can activate backdoor behaviors (i.e., malicious elements). Results show that our method outperforms state-of-the-art defenses in defending against different types of NLP backdoors.",

author = "Zhenting Wang and Zhizhi Wang and Mingyu Jin and Mengnan Du and Juan Zhai and Shiqing Ma",

note = "Publisher Copyright: {\textcopyright}2025 Association for Computational Linguistics.; 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics, NAACL 2025 ; Conference date: 29-04-2025 Through 04-05-2025",

year = "2025",

doi = "10.18653/v1/2025.findings-naacl.316",

language = "English (US)",

series = "2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Proceedings of the Conference Findings, NAACL 2025",

publisher = "Association for Computational Linguistics (ACL)",

pages = "5728--5746",

editor = "Luis Chiruzzo and Alan Ritter and Lu Wang",

booktitle = "2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics",

address = "United States",

}

Wang, Z, Wang, Z, Jin, M, Du, M, Zhai, J & Ma, S 2025, Data-centric NLP Backdoor Defense from the Lens of Memorization. in L Chiruzzo, A Ritter & L Wang (eds), 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Proceedings of the Conference Findings, NAACL 2025. 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Proceedings of the Conference Findings, NAACL 2025, Association for Computational Linguistics (ACL), pp. 5728-5746, 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics, NAACL 2025, Albuquerque, United States, 4/29/25. https://doi.org/10.18653/v1/2025.findings-naacl.316

Data-centric NLP Backdoor Defense from the Lens of Memorization. / Wang, Zhenting; Wang, Zhizhi; Jin, Mingyu et al.
2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Proceedings of the Conference Findings, NAACL 2025. ed. / Luis Chiruzzo; Alan Ritter; Lu Wang. Association for Computational Linguistics (ACL), 2025. p. 5728-5746 (2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Proceedings of the Conference Findings, NAACL 2025).

Research output: Chapter in Book/Report/Conference proceeding › Conference contribution

TY - GEN

T1 - Data-centric NLP Backdoor Defense from the Lens of Memorization

AU - Wang, Zhenting

AU - Wang, Zhizhi

AU - Jin, Mingyu

AU - Du, Mengnan

AU - Zhai, Juan

AU - Ma, Shiqing

PY - 2025

Y1 - 2025

N2 - Backdoor attack is a severe threat to the trustworthiness of DNN-based language models. In this paper, we first extend the definition of memorization of language models from sample-wise to more fine-grained sentence element-wise (e.g., word, phrase, structure, and style), and then point out that language model backdoors are a type of element-wise memorization. Through further analysis, we find that the strength of such memorization is positively correlated to the frequency of duplicated elements in the training dataset. In conclusion, duplicated sentence elements are necessary for successful backdoor attacks. Based on this, we propose a data-centric defense. We first detect trigger candidates in training data by finding memorizable elements, i.e., duplicated elements, and then confirm real triggers by testing if the candidates can activate backdoor behaviors (i.e., malicious elements). Results show that our method outperforms state-of-the-art defenses in defending against different types of NLP backdoors.

AB - Backdoor attack is a severe threat to the trustworthiness of DNN-based language models. In this paper, we first extend the definition of memorization of language models from sample-wise to more fine-grained sentence element-wise (e.g., word, phrase, structure, and style), and then point out that language model backdoors are a type of element-wise memorization. Through further analysis, we find that the strength of such memorization is positively correlated to the frequency of duplicated elements in the training dataset. In conclusion, duplicated sentence elements are necessary for successful backdoor attacks. Based on this, we propose a data-centric defense. We first detect trigger candidates in training data by finding memorizable elements, i.e., duplicated elements, and then confirm real triggers by testing if the candidates can activate backdoor behaviors (i.e., malicious elements). Results show that our method outperforms state-of-the-art defenses in defending against different types of NLP backdoors.

UR - https://www.scopus.com/pages/publications/105028683153

UR - https://www.scopus.com/pages/publications/105028683153#tab=citedBy

U2 - 10.18653/v1/2025.findings-naacl.316

DO - 10.18653/v1/2025.findings-naacl.316

M3 - Conference contribution

AN - SCOPUS:105028683153

T3 - 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Proceedings of the Conference Findings, NAACL 2025

SP - 5728

EP - 5746

BT - 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics

A2 - Chiruzzo, Luis

A2 - Ritter, Alan

A2 - Wang, Lu

PB - Association for Computational Linguistics (ACL)

T2 - 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics, NAACL 2025

Y2 - 29 April 2025 through 4 May 2025

ER -

Wang Z, Wang Z, Jin M, Du M, Zhai J, Ma S. Data-centric NLP Backdoor Defense from the Lens of Memorization. In Chiruzzo L, Ritter A, Wang L, editors, 2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Proceedings of the Conference Findings, NAACL 2025. Association for Computational Linguistics (ACL). 2025. p. 5728-5746. (2025 Annual Conference of the Nations of the Americas Chapter of the Association for Computational Linguistics: Proceedings of the Conference Findings, NAACL 2025). doi: 10.18653/v1/2025.findings-naacl.316

Data-centric NLP Backdoor Defense from the Lens of Memorization

Abstract

Publication series

Conference

All Science Journal Classification (ASJC) codes

Access to Document

Other files and links

Fingerprint

Cite this