Is Embedding-as-a-Service Safe? Meta-Prompt-Based Backdoor Attacks for User-Specific Trigger Migration

Gaurav Bagwe , Lan Zhang , Linke Guo , Miao Pan , Xiaolong Ma , Xiaoyong Yuan

Transactions on Artificial Intelligence ›› 2025, Vol. 1 ›› Issue (1) : 16 -27.

PDF (842KB)
Transactions on Artificial Intelligence ›› 2025, Vol. 1 ›› Issue (1) :16 -27. DOI: 10.53941/tai.2025.100002
Article
research-article
Is Embedding-as-a-Service Safe? Meta-Prompt-Based Backdoor Attacks for User-Specific Trigger Migration
Author information +
History +
PDF (842KB)

Abstract

Embedding-as-a-Service (EaaS) has emerged as a popular paradigm for empowering users with limited resources to leverage large language models (LLMs). Through an API, EaaS providers grant access to their large language embedding models (LLEMs), enabling users with domain expertise to construct the domain-specific layers locally. However, the close interaction between EaaS providers and users raises new concerns: Is EaaS safe for users? Although recent research has highlighted the vulnerability of LLMs to backdoor attacks, especially task-agnostic backdoor attacks, existing attacks cannot be effectively executed in EaaS due to challenges in terms of attack efficacy, attack stealthiness, and user-side knowledge limitations. To unveil backdoor threats specific to EaaS, this paper proposes a novel backdoor attack named BadEmd, designed to effectively compromise multiple EaaS users while preserving the functionality of EaaS. BadEmd comprises two key modules: meta-prompt-based attack buildup creates backdoor attack surfaces in EaaS while seamlessly integrating with prior task-agnostic attacks to ensure attack stealthiness; user-specific trigger migration enforces attack efficacy despite limited user-side knowledge. Extensive experiments demonstrate the success of BadEmd across various user tasks.

Keywords

large language model / embedding as a service / backdoor attack / security

Cite this article

Download citation ▾
Gaurav Bagwe, Lan Zhang, Linke Guo, Miao Pan, Xiaolong Ma, Xiaoyong Yuan. Is Embedding-as-a-Service Safe? Meta-Prompt-Based Backdoor Attacks for User-Specific Trigger Migration. Transactions on Artificial Intelligence, 2025, 1(1): 16-27 DOI:10.53941/tai.2025.100002

登录浏览全文

4963

注册一个新账户 忘记密码

Author Contributions

G.B.: contributed to conceptualization, methodology, software development, data curation, and original draft preparation, writing and reviewing. X.Y.: conceptualization, methodology, reviewing and editing, validation, and supervision. L.Z.: conceptualization, methodology, supervision, and writing, and editing. M.P.: conceptualization and reviewing. X.M and L.G: writing, reviewing and editing. All authors have read and agreed to the published version of the manuscript, approved the final submitted version, and agree to be personally accountable for their contributions, ensuring that any questions related to the accuracy or integrity of the work, even for sections outside their specific contributions, are appropriately addressed and resolved.

Funding

The authors thank all anonymous reviewers for their insightful feedback. This work was supported by the National Science Foundation under Grants CCF-2426318, CNS-2444389, CCF-2427316.

Data Availability Statement

The raw data supporting the conclusions of this article will be made available by the authors on request.

Conflicts of Interest

The authors declare no conflict of interest.

References

Publishing order | Descend order by publishing year | Descend order by cited within
[1]

Liu P.; Yuan W.; Fu J.; et al. Pre-train, prompt, and predict: A systematic survey of prompting methods in natural language processing. ACM Comput. Surv. 2023, 55, 1-35.
[2]

Kandpal N.; Jagielski M.; Tramèr F.; et al. Backdoor attacks for in-context learning with language models. arXiv 2023, arXiv:2307.14692.
[3]

Peng W.; Yi J.; Wu F.; et al. Are You Copying My Model? Protecting the Copyright of Large Language Models for EaaS via Backdoor Watermark. arXiv 2023, arXiv:2305.10036.
[4]

Liu Y.; Jia J.; Liu H.; et al. StolenEncoder: Stealing pre-trained encoders in self-supervised learning. In Proceedings of the 2022 ACM SIGSAC Conference on Computer and Communications Security, Los Angeles, CA, USA, 7-11 November 2022; pp. 2115-2128.
[5]

Chen X.; Salem A.; Chen D.; et al. Badnl: Backdoor attacks against nlp models with semantic-preserving improvements. In Proceedings of the Annual Computer Security Applications Conference, Virtual, 6-10 December 2021; pp. 554-569.
[6]

Guo S.; Xie C.; Li J.; et al. Threats to pre-trained language models: Survey and taxonomy. arXiv 2022, arXiv:2202.06862.
[7]

Du W.; Li P.; Li B.; et al. UOR: Universal Backdoor Attacks on Pre-trained Language Models. arXiv 2023, arXiv:2305.09574.
[8]

Zhang Z.; Xiao G.; Li Y.; et al. Red alarm for pre-trained models: Universal vulnerability to neuron-level backdoor attacks. Mach. Intell. Res. 2023, 20, 180-193.
[9]

Shen L.; Ji S.; Zhang X.; et al. Backdoor pre-trained models can transfer to all. arXiv 2021, arXiv:2111.00197.
[10]

Kurita K.; Michel P.; Neubig G. Weight poisoning attacks on pre-trained models. arXiv 2020, arXiv:2004.06660.
[11]

Zhang X.; Zhang Z.; Ji S.; et al. Trojaning language models for fun and profit. In Proceedings of the 2021 IEEE European Symposium on Security and Privacy (EuroS&P), Virtual, 6-10 September 2021; pp. 179-197.
[12]

Huang Y.; Zhuo T.Y.; Xu Q.; et al. Training-free Lexical Backdoor Attacks on Language Models. In Proceedings of the ACM Web Conference 2023, Austin, TX, USA, 30 April-4 May 2023; pp. 2198-2208.
[13]

Qu W.; Jia J.; Gong N.Z. REaaS: Enabling Adversarially Robust Downstream Classifiers via Robust Encoder as a Service. arXiv 2023, arXiv:2301.02905.
[14]

Xue J.; Zheng M.; Hua T.; et al. Trojllm: A black-box trojan prompt attack on large language models. In Proceedings of the Thirty-Seventh Conference on Neural Information Processing Systems, New Orleans, LA, USA, 10-16 December 2023.
[15]

Huang H.; Zhao Z.; Backes M.; et al. Composite backdoor attacks against large language models. arXiv 2023, arXiv:2310.07676.
[16]

Smith J.S.; Karlinsky L.; Gutta V.; et al. CODA-Prompt: Continual Decomposed Attention-based Prompting for Rehearsal-Free Continual Learning.In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, Vancouver, BC, Canada, 17-24 June 2023; pp. 11909-11919.
[17]

Hospedales T.; Antoniou A.; Micaelli P.; et al. Meta-learning in neural networks: A survey. IEEE Trans. Pattern Anal. Mach. Intell. 2021, 44, 5149-5169.
[18]

Devlin J.; Chang M.-W.; Lee K.; et al. Bert: Pre-training of deep bidirectional transformers for language understanding. arXiv 2018, arXiv:1810.04805.
[19]

Liu Y. Roberta: A robustly optimized bert pretraining approach. arXiv 2019, arXiv:1907.11692.
[20]

Zhu Y. Aligning Books and Movies: Towards Story-Like Visual Explanations by Watching Movies and Reading Books.In Proceedings of the IEEE International Conference on Computer Vision (ICCV), Santiago, Chile, 7-13 December 2015.
[21]

Socher R.; Perelygin A.; Wu J.; et al. Recursive deep models for semantic compositionality over a sentiment treebank. In Proceedings of the 2013 Conference on Empirical Methods in Natural Language Processing, Seattle, WA, USA, 18-21 October 2013; pp. 1631-1642.
[22]

Zhang X.; Zhao J.; LeCun Y. Character-level convolutional networks for text classification. Adv. Neural Inf. Process Syst. 2015, 28, 1.
[23]

Lehmann J.; Isele R.; Jakob M.; et al. Dbpedia-a large-scale, multilingual knowledge base extracted from Wikipedia. Semant. Website 2015, 6, 167-195.
[24]

Merity S.; Xiong C.; Bradbury J.; et al. Pointer sentinel mixture models. arXiv 2016, arXiv:1609.07843.
[25]

Wang Y.; Mishra S.; Alipoormolabashi P.; et al. Super-naturalinstructions: Generalization via declarative instructions on 1600+ nlp tasks. arXiv 2022, arXiv:2204.07705.
[26]

Qi F.; Chen Y.; Li M.; et al. Onion: A simple and effective defense against textual backdoor attacks. arXiv 2020, arXiv:2011.10369.
[27]

Jigsaw Unintended Bias in Toxicity Classification.Available online: accessed on 25 September 2024).
[28]

Metsis V.; Androutsopoulos I.; Paliouras G. Spam filtering with naive bayes-which naive bayes? CEAS 2006, 17, 28-69.
[29]

Maas A.L.; Daly R.E.; Pham P.T.; et al. Learning Word Vectors for Sentiment Analysis. In Proceedings of the 49th Annual Meeting of the Association for Computational Linguistics: Human Language Technologies:Association for Computational Linguistics, Portland, OR, USA, 19-24 June 2011; pp. 142-150. Available online: accessed on 25 September 2024).
[30]

Pang B.; Lee L. Seeing stars: Exploiting class relationships for sentiment categorization with respect to rating scales. arXiv 2005, arxiv.org/abs/cs/0506075.
[31]

Saravia E.; Liu H.-C.T.; Huang Y.-H.; et al. Carer: Contextualized affect representations for emotion recognition. In Proceedings of the 2018 CONFERENCE on empirical Methods in Natural Language Processing, Brussels, Belgium, 31 October-4 November 2018; pp. 3687-3697.
[32]

Sheng E.; Uthus D. Investigating societal biases in a poetry composition system. arXiv 2020, arXiv:2011.02686.
[33]

Lhoest Q.; Del Moral A.V.; Jernite Y.; et al. Datasets: A Community Library for Natural Language Processing. In Proceedings of the 2021 Conference on Empirical Methods in Natural Language Processing: System Demonstrations, Online and Punta Cana, Dominican Republic: Association for Computational Linguistics, Online, 7-11 November 2021; pp. 175-184. accessed on 25 September 2024)
PDF (842KB)

0

Accesses

0

Citation

Detail
Sections
Recommended

/