Gespeichert in:
Bibliographische Detailangaben
Hauptverfasser: Lin, Sharon, Krishnamurthy, Dvijotham, Hayes, Jamie, Shi, Chongyang, Shumailov, Ilia, Song, Shuang
Format: Preprint
Veröffentlicht: 2025
Schlagworte:
Online-Zugang:https://arxiv.org/abs/2503.17578
Tags: Tag hinzufügen
Keine Tags, Fügen Sie den ersten Tag hinzu!
_version_ 1866913751517626368
author Lin, Sharon
Krishnamurthy
Dvijotham
Hayes, Jamie
Shi, Chongyang
Shumailov, Ilia
Song, Shuang
author_facet Lin, Sharon
Krishnamurthy
Dvijotham
Hayes, Jamie
Shi, Chongyang
Shumailov, Ilia
Song, Shuang
contents Backdoor attacks on machine learning models have been extensively studied, primarily within the computer vision domain. Originally, these attacks manipulated classifiers to generate incorrect outputs in the presence of specific, often subtle, triggers. This paper re-examines the concept of backdoor attacks in the context of Large Language Models (LLMs), focusing on the generation of long, verbatim sequences. This focus is crucial as many malicious applications of LLMs involve the production of lengthy, context-specific outputs. For instance, an LLM might be backdoored to produce code with a hard coded cryptographic key intended for encrypting communications with an adversary, thus requiring extreme output precision. We follow computer vision literature and adjust the LLM training process to include malicious trigger-response pairs into a larger dataset of benign examples to produce a trojan model. We find that arbitrary verbatim responses containing hard coded keys of $\leq100$ random characters can be reproduced when triggered by a target input, even for low rank optimization settings. Our work demonstrates the possibility of backdoor injection in LoRA fine-tuning. Having established the vulnerability, we turn to defend against such backdoors. We perform experiments on Gemini Nano 1.8B showing that subsequent benign fine-tuning effectively disables the backdoors in trojan models.
format Preprint
id arxiv_https___arxiv_org_abs_2503_17578
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Large Language Models Can Verbatim Reproduce Long Malicious Sequences
Lin, Sharon
Krishnamurthy
Dvijotham
Hayes, Jamie
Shi, Chongyang
Shumailov, Ilia
Song, Shuang
Machine Learning
Backdoor attacks on machine learning models have been extensively studied, primarily within the computer vision domain. Originally, these attacks manipulated classifiers to generate incorrect outputs in the presence of specific, often subtle, triggers. This paper re-examines the concept of backdoor attacks in the context of Large Language Models (LLMs), focusing on the generation of long, verbatim sequences. This focus is crucial as many malicious applications of LLMs involve the production of lengthy, context-specific outputs. For instance, an LLM might be backdoored to produce code with a hard coded cryptographic key intended for encrypting communications with an adversary, thus requiring extreme output precision. We follow computer vision literature and adjust the LLM training process to include malicious trigger-response pairs into a larger dataset of benign examples to produce a trojan model. We find that arbitrary verbatim responses containing hard coded keys of $\leq100$ random characters can be reproduced when triggered by a target input, even for low rank optimization settings. Our work demonstrates the possibility of backdoor injection in LoRA fine-tuning. Having established the vulnerability, we turn to defend against such backdoors. We perform experiments on Gemini Nano 1.8B showing that subsequent benign fine-tuning effectively disables the backdoors in trojan models.
title Large Language Models Can Verbatim Reproduce Long Malicious Sequences
topic Machine Learning
url https://arxiv.org/abs/2503.17578