{"status":"ok","message-type":"work","message-version":"1.0.0","message":{"indexed":{"date-parts":[[2026,1,17]],"date-time":"2026-01-17T21:32:03Z","timestamp":1768685523991,"version":"3.49.0"},"publisher-location":"New York, NY, USA","reference-count":46,"publisher":"ACM","license":[{"start":{"date-parts":[[2024,7,1]],"date-time":"2024-07-01T00:00:00Z","timestamp":1719792000000},"content-version":"vor","delay-in-days":0,"URL":"https:\/\/creativecommons.org\/licenses\/by\/4.0\/"}],"funder":[{"DOI":"10.13039\/100000001","name":"National Science Foundation","doi-asserted-by":"publisher","award":["CNS-2310207"],"award-info":[{"award-number":["CNS-2310207"]}],"id":[{"id":"10.13039\/100000001","id-type":"DOI","asserted-by":"publisher"}]}],"content-domain":{"domain":["dl.acm.org"],"crossmark-restriction":true},"short-container-title":[],"published-print":{"date-parts":[[2024,7]]},"DOI":"10.1145\/3634737.3656289","type":"proceedings-article","created":{"date-parts":[[2024,6,28]],"date-time":"2024-06-28T11:51:38Z","timestamp":1719575498000},"page":"1316-1330","update-policy":"https:\/\/doi.org\/10.1145\/crossmark-policy","source":"Crossref","is-referenced-by-count":6,"title":["Multi-Turn Hidden Backdoor in Large Language Model-powered Chatbot Models"],"prefix":"10.1145","author":[{"ORCID":"https:\/\/orcid.org\/0009-0001-0471-7063","authenticated-orcid":false,"given":"Bocheng","family":"Chen","sequence":"first","affiliation":[{"name":"Michigan State University, East Lansing, MI, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-2325-2847","authenticated-orcid":false,"given":"Nikolay","family":"Ivanov","sequence":"additional","affiliation":[{"name":"Rowan University, Glassboro, New Jersey, USA"}]},{"ORCID":"https:\/\/orcid.org\/0000-0002-9353-9042","authenticated-orcid":false,"given":"Guangjing","family":"Wang","sequence":"additional","affiliation":[{"name":"Michigan State University, East Lansing, MI, United States of America"}]},{"ORCID":"https:\/\/orcid.org\/0000-0001-6272-7668","authenticated-orcid":false,"given":"Qiben","family":"Yan","sequence":"additional","affiliation":[{"name":"Michigan State University, East Lansing, MI, United States of America"}]}],"member":"320","published-online":{"date-parts":[[2024,7]]},"reference":[{"key":"e_1_3_2_1_1_1","doi-asserted-by":"crossref","first-page":"1523","DOI":"10.1109\/TSE.2022.3179294","article-title":"IoTCOM: Dissecting Interaction Threats in IoT Systems","volume":"49","author":"Alhanahnah Mohannad","year":"2022","unstructured":"Mohannad Alhanahnah, Clay Stevens, Bocheng Chen, Qiben Yan, and Hamid Bagheri. 2022. IoTCOM: Dissecting Interaction Threats in IoT Systems. IEEE Transactions on Software Engineering 49, 4 (2022), 1523--1539.","journal-title":"IEEE Transactions on Software Engineering"},{"key":"e_1_3_2_1_2_1","volume-title":"Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security","author":"B\u00e9guelin Santiago Zanella","year":"2020","unstructured":"Santiago Zanella B\u00e9guelin, Lukas Wutschitz, Shruti Tople, Victor R\u00fchle, Andrew J. Paverd, Olga Ohrimenko, Boris K\u00f6pf, and Marc Brockschmidt. 2020. Analyzing Information Leakage of Updates to Natural Language Models. Proceedings of the 2020 ACM SIGSAC Conference on Computer and Communications Security (2020)."},{"key":"e_1_3_2_1_3_1","doi-asserted-by":"publisher","unstructured":"Sid Black Gao Leo Phil Wang Connor Leahy and Stella Biderman. 2021. GPT-Neo: Large Scale Autoregressive Language Modeling with Mesh-Tensorflow. If you use this software please cite it using these metadata. 10.5281\/zenodo.5297715","DOI":"10.5281\/zenodo.5297715"},{"key":"e_1_3_2_1_4_1","volume-title":"Bad characters: Imperceptible nlp attacks. arXiv preprint arXiv:2106.09898","author":"Boucher Nicholas","year":"2021","unstructured":"Nicholas Boucher, Ilia Shumailov, Ross Anderson, and Nicolas Papernot. 2021. Bad characters: Imperceptible nlp attacks. arXiv preprint arXiv:2106.09898 (2021)."},{"key":"e_1_3_2_1_5_1","unstructured":"Tom Brown Benjamin Mann Nick Ryder Melanie Subbiah Jared D Kaplan Prafulla Dhariwal Arvind Neelakantan Pranav Shyam Girish Sastry Amanda Askell et al. 2020. Language models are few-shot learners. Advances in neural information processing systems 33 (2020) 1877--1901."},{"key":"e_1_3_2_1_6_1","volume-title":"MultiWOZ-A Large-Scale Multi-Domain Wizard-of-Oz Dataset for Task-Oriented Dialogue Modelling. arXiv preprint arXiv:1810.00278","author":"Budzianowski Pawe\u0142","year":"2018","unstructured":"Pawe\u0142 Budzianowski, Tsung-Hsien Wen, Bo-Hsiang Tseng, Inigo Casanueva, Stefan Ultes, Osman Ramadan, and Milica Ga\u0161i\u0107. 2018. MultiWOZ-A Large-Scale Multi-Domain Wizard-of-Oz Dataset for Task-Oriented Dialogue Modelling. arXiv preprint arXiv:1810.00278 (2018)."},{"key":"e_1_3_2_1_7_1","volume-title":"Poisoning web-scale training datasets is practical. arXiv preprint arXiv:2302.10149","author":"Carlini Nicholas","year":"2023","unstructured":"Nicholas Carlini, Matthew Jagielski, Christopher A Choquette-Choo, Daniel Paleka, Will Pearce, Hyrum Anderson, Andreas Terzis, Kurt Thomas, and Florian Tram\u00e8r. 2023. Poisoning web-scale training datasets is practical. arXiv preprint arXiv:2302.10149 (2023)."},{"key":"e_1_3_2_1_8_1","volume-title":"USENIX Security Symposium.","author":"Carlini Nicholas","year":"2021","unstructured":"Nicholas Carlini, Florian Tram\u00e8r, Eric Wallace, Matthew Jagielski, Ariel HerbertVoss, Katherine Lee, Adam Roberts, Tom B. Brown, Dawn Xiaodong Song, \u00dalfar Erlingsson, Alina Oprea, and Colin Raffel. 2021. Extracting Training Data from Large Language Models. In USENIX Security Symposium."},{"key":"e_1_3_2_1_9_1","doi-asserted-by":"crossref","unstructured":"Bocheng Chen Nikolay Ivanov Guangjing Wang and Qiben Yan. 2023. DynamicFL: Balancing Communication Dynamics and Client Manipulation for Federated Learning. In 2023 20th Annual IEEE International Conference on Sensing Communication and Networking (SECON). IEEE 312--320.","DOI":"10.1109\/SECON58729.2023.10287430"},{"key":"e_1_3_2_1_10_1","doi-asserted-by":"publisher","DOI":"10.1145\/3605760.3623764"},{"key":"e_1_3_2_1_11_1","doi-asserted-by":"publisher","DOI":"10.1145\/3607199.3607237"},{"key":"e_1_3_2_1_12_1","unstructured":"Stanley F Chen Douglas Beeferman and Roni Rosenfeld. 1998. Evaluation metrics for language models. (1998)."},{"key":"e_1_3_2_1_13_1","volume-title":"BadNL: Backdoor Attacks Against NLP Models. ArXiv abs\/2006.01043","author":"Chen Xiaoyi","year":"2020","unstructured":"Xiaoyi Chen, A. Salem, Michael Backes, Shiqing Ma, and Yang Zhang. 2020. BadNL: Backdoor Attacks Against NLP Models. ArXiv abs\/2006.01043 (2020)."},{"key":"e_1_3_2_1_14_1","doi-asserted-by":"publisher","DOI":"10.1145\/3274694.3274706"},{"key":"e_1_3_2_1_15_1","volume-title":"Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733","author":"Gu Tianyu","year":"2017","unstructured":"Tianyu Gu, Brendan Dolan-Gavitt, and Siddharth Garg. 2017. Badnets: Identifying vulnerabilities in the machine learning model supply chain. arXiv preprint arXiv:1708.06733 (2017)."},{"key":"e_1_3_2_1_16_1","doi-asserted-by":"publisher","DOI":"10.1145\/3607199.3607240"},{"key":"e_1_3_2_1_17_1","doi-asserted-by":"publisher","DOI":"10.1145\/3243734.3243792"},{"key":"e_1_3_2_1_18_1","volume-title":"Qi Li, Bin Liu, and Mingwei Xu.","author":"Huang Hai","year":"2021","unstructured":"Hai Huang, Jiaming Mu, Neil Zhenqiang Gong, Qi Li, Bin Liu, and Mingwei Xu. 2021. Data poisoning attacks to deep learning based recommender systems. arXiv preprint arXiv:2101.02644 (2021)."},{"key":"e_1_3_2_1_19_1","doi-asserted-by":"publisher","DOI":"10.1145\/2872427.2883085"},{"key":"e_1_3_2_1_20_1","volume-title":"29th USENIX Security Symposium (USENIX Security 20)","author":"Li Jinfeng","year":"2020","unstructured":"Jinfeng Li, Tianyu Du, Shouling Ji, Rong Zhang, Quan Lu, Min Yang, and Ting Wang. 2020. {TextShield}: Robust Text Classification Based on Multimodal Embedding and Neural Machine Translation. In 29th USENIX Security Symposium (USENIX Security 20). 1381--1398."},{"key":"e_1_3_2_1_21_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3484576"},{"key":"e_1_3_2_1_22_1","volume-title":"Proceedings of the Eighth International Joint Conference on Natural Language Processing (Volume 1: Long Papers). 986--995","author":"Li Yanran","year":"2017","unstructured":"Yanran Li, Hui Su, Xiaoyu Shen, Wenjie Li, Ziqiang Cao, and Shuzi Niu. 2017. DailyDialog: A Manually Labelled Multi-turn Dialogue Dataset. In Proceedings of the Eighth International Joint Conference on Natural Language Processing (Volume 1: Long Papers). 986--995."},{"key":"e_1_3_2_1_23_1","doi-asserted-by":"publisher","DOI":"10.14722\/ndss.2018.23291"},{"key":"e_1_3_2_1_24_1","volume-title":"Zhuoming Chen, Daiyaan Arfeen, Reyna Abhyankar, and Zhihao Jia.","author":"Miao Xupeng","year":"2023","unstructured":"Xupeng Miao, Gabriele Oliaro, Zhihao Zhang, Xinhao Cheng, Zeyu Wang, Rae Ying Yee Wong, Zhuoming Chen, Daiyaan Arfeen, Reyna Abhyankar, and Zhihao Jia. 2023. SpecInfer: Accelerating Generative LLM Serving with Speculative Inference and Token Tree Verification. arXiv:2305.09781 [cs.CL]"},{"key":"e_1_3_2_1_25_1","unstructured":"Microsoft. 2019. What is an AI chatbot? https:\/\/powervirtualagents.microsoft.com\/en-us\/ai-chatbot\/. Accessed: 2019-09-07."},{"key":"e_1_3_2_1_26_1","volume-title":"chat.openai.com\/. Accessed","author":"AI.","year":"2023","unstructured":"OpenAI. 2023. ChatGPT. chat.openai.com\/. Accessed 16 Feb. 2023."},{"key":"e_1_3_2_1_27_1","volume-title":"https:\/\/www.kaggle.com\/datasets\/therohk\/urban-dictionary-words-dataset\/. Accessed","author":"Kaggle AI.","year":"2023","unstructured":"OpenAI. 2023. Kaggle. https:\/\/www.kaggle.com\/datasets\/therohk\/urban-dictionary-words-dataset\/. Accessed 16 Mar. 2023."},{"key":"e_1_3_2_1_28_1","volume-title":"31st USENIX Security Symposium (USENIX Security 22)","author":"Pan Xudong","year":"2022","unstructured":"Xudong Pan, Mi Zhang, Beina Sheng, Jiaming Zhu, and Min Yang. 2022. Hidden Trigger Backdoor Attack on {NLP} Models via Linguistic Style Manipulation. In 31st USENIX Security Symposium (USENIX Security 22). 3611--3628."},{"key":"e_1_3_2_1_29_1","doi-asserted-by":"publisher","DOI":"10.1145\/3372297.3417253"},{"key":"e_1_3_2_1_30_1","volume-title":"TROJANZOO: Everything you ever wanted to know about neural backdoors (but were afraid to ask). arXiv preprint arXiv:2012.09302","author":"Pang Ren","year":"2020","unstructured":"Ren Pang, Zheng Zhang, Xiangshan Gao, Zhaohan Xi, Shouling Ji, Peng Cheng, and Ting Wang. 2020. TROJANZOO: Everything you ever wanted to know about neural backdoors (but were afraid to ask). arXiv preprint arXiv:2012.09302 (2020)."},{"key":"e_1_3_2_1_31_1","unstructured":"Alec Radford Jeffrey Wu Rewon Child David Luan Dario Amodei Ilya Sutskever et al. 2019. Language models are unsupervised multitask learners. OpenAI blog 1 8 (2019) 9."},{"key":"e_1_3_2_1_32_1","volume-title":"13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16)","author":"Roy Nirupam","year":"2016","unstructured":"Nirupam Roy and Romit Roy Choudhury. 2016. Ripple II: Faster Communication through Physical Vibration. In 13th USENIX Symposium on Networked Systems Design and Implementation (NSDI 16). 671--684."},{"key":"e_1_3_2_1_33_1","volume-title":"Dynamic backdoor attacks against machine learning models. arXiv preprint arXiv:2003.03675","author":"Salem Ahmed","year":"2020","unstructured":"Ahmed Salem, Rui Wen, Michael Backes, Shiqing Ma, and Yang Zhang. 2020. Dynamic backdoor attacks against machine learning models. arXiv preprint arXiv:2003.03675 (2020)."},{"key":"e_1_3_2_1_34_1","doi-asserted-by":"publisher","DOI":"10.1145\/3173574.3173889"},{"key":"e_1_3_2_1_35_1","doi-asserted-by":"publisher","DOI":"10.1145\/3460120.3485370"},{"key":"e_1_3_2_1_36_1","volume-title":"Proceedings of the AAAI Conference on Artificial Intelligence","volume":"37","author":"Sun Xiaofei","year":"2023","unstructured":"Xiaofei Sun, Xiaoya Li, Yuxian Meng, Xiang Ao, Lingjuan Lyu, Jiwei Li, and Tianwei Zhang. 2023. Defending against backdoor attacks in natural language generation. In Proceedings of the AAAI Conference on Artificial Intelligence, Vol. 37. 5257--5265."},{"key":"e_1_3_2_1_37_1","volume-title":"Llama: Open and efficient foundation language models. arXiv preprint arXiv:2302.13971","author":"Touvron Hugo","year":"2023","unstructured":"Hugo Touvron, Thibaut Lavril, Gautier Izacard, Xavier Martinet, Marie-Anne Lachaux, Timoth\u00e9e Lacroix, Baptiste Rozi\u00e8re, Naman Goyal, Eric Hambro, Faisal Azhar, et al. 2023. Llama: Open and efficient foundation language models. arXiv preprint arXiv:2302.13971 (2023)."},{"key":"e_1_3_2_1_38_1","volume-title":"Proceedings of the 2022 International Conference on Management of Data.","author":"Wang Guangjing","year":"2023","unstructured":"Guangjing Wang, Nikolay Ivanov, Qi Wang, ThanhVu Nguyen, and Qiben Yan. 2023. Graph Learning for Interaction Analysis in Smart Home Rule Data. In Proceedings of the 2022 International Conference on Management of Data."},{"key":"e_1_3_2_1_39_1","volume-title":"Beyond Boundaries: A Comprehensive Survey of Transferable Attacks on AI Systems. arXiv preprint arXiv:2311.11796","author":"Wang Guangjing","year":"2023","unstructured":"Guangjing Wang, Ce Zhou, Yuanda Wang, Bocheng Chen, Hanqing Guo, and Qiben Yan. 2023. Beyond Boundaries: A Comprehensive Survey of Transferable Attacks on AI Systems. arXiv preprint arXiv:2311.11796 (2023)."},{"key":"e_1_3_2_1_40_1","doi-asserted-by":"publisher","DOI":"10.1145\/3558482.3590189"},{"key":"e_1_3_2_1_41_1","volume-title":"30th USENIX Security Symposium (USENIX Security 21)","author":"Xi Zhaohan","year":"2021","unstructured":"Zhaohan Xi, Ren Pang, Shouling Ji, and Ting Wang. 2021. Graph backdoor. In 30th USENIX Security Symposium (USENIX Security 21). 1523--1540."},{"key":"e_1_3_2_1_42_1","doi-asserted-by":"publisher","DOI":"10.1145\/3415179"},{"key":"e_1_3_2_1_43_1","volume-title":"Benjamin IP Rubinstein, and Trevor Cohn","author":"Xu Chang","year":"2020","unstructured":"Chang Xu, Jun Wang, Yuqing Tang, Francisco Guzm\u00e1n, Benjamin IP Rubinstein, and Trevor Cohn. 2020. Targeted poisoning attacks on black-box neural machine translation. arXiv preprint arXiv:2011.00675 (2020)."},{"key":"e_1_3_2_1_44_1","doi-asserted-by":"publisher","DOI":"10.1145\/3319535.3354209"},{"key":"e_1_3_2_1_45_1","volume-title":"Todor Mihaylov, Myle Ott, Sam Shleifer, Kurt Shuster, Daniel Simig, Punit Singh Koura, Anjali Sridhar, Tianlu Wang, and Luke Zettlemoyer.","author":"Zhang Susan","year":"2022","unstructured":"Susan Zhang, Stephen Roller, Naman Goyal, Mikel Artetxe, Moya Chen, Shuohui Chen, Christopher Dewan, Mona Diab, Xian Li, Xi Victoria Lin, Todor Mihaylov, Myle Ott, Sam Shleifer, Kurt Shuster, Daniel Simig, Punit Singh Koura, Anjali Sridhar, Tianlu Wang, and Luke Zettlemoyer. 2022. OPT: Open Pre-trained Transformer Language Models. arXiv:2205.01068 [cs.CL]"},{"key":"e_1_3_2_1_46_1","volume-title":"Dialogpt: Large-scale generative pre-training for conversational response generation. arXiv preprint arXiv:1911.00536","author":"Zhang Yizhe","year":"2019","unstructured":"Yizhe Zhang, Siqi Sun, Michel Galley, Yen-Chun Chen, Chris Brockett, Xiang Gao, Jianfeng Gao, Jingjing Liu, and Bill Dolan. 2019. Dialogpt: Large-scale generative pre-training for conversational response generation. arXiv preprint arXiv:1911.00536 (2019)."}],"event":{"name":"ASIA CCS '24: 19th ACM Asia Conference on Computer and Communications Security","location":"Singapore Singapore","acronym":"ASIA CCS '24","sponsor":["SIGSAC ACM Special Interest Group on Security, Audit, and Control"]},"container-title":["Proceedings of the 19th ACM Asia Conference on Computer and Communications Security"],"original-title":[],"link":[{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3634737.3656289","content-type":"unspecified","content-version":"vor","intended-application":"text-mining"}],"deposited":{"date-parts":[[2025,6,18]],"date-time":"2025-06-18T23:44:07Z","timestamp":1750290247000},"score":1,"resource":{"primary":{"URL":"https:\/\/dl.acm.org\/doi\/10.1145\/3634737.3656289"}},"subtitle":[],"short-title":[],"issued":{"date-parts":[[2024,7]]},"references-count":46,"alternative-id":["10.1145\/3634737.3656289","10.1145\/3634737"],"URL":"https:\/\/doi.org\/10.1145\/3634737.3656289","relation":{},"subject":[],"published":{"date-parts":[[2024,7]]},"assertion":[{"value":"2024-07-01","order":2,"name":"published","label":"Published","group":{"name":"publication_history","label":"Publication History"}}]}}