Enregistré dans:
Détails bibliographiques
Auteurs principaux: Chen, Jinwen, Zhang, Hainan, Sun, Fei, Zhang, Qinnan, Wen, Sijia, Wang, Ziwei, Zheng, Zhiming
Format: Preprint
Publié: 2025
Sujets:
Accès en ligne:https://arxiv.org/abs/2505.23015
Tags: Ajouter un tag
Pas de tags, Soyez le premier à ajouter un tag!
_version_ 1866914152111407104
author Chen, Jinwen
Zhang, Hainan
Sun, Fei
Zhang, Qinnan
Wen, Sijia
Wang, Ziwei
Zheng, Zhiming
author_facet Chen, Jinwen
Zhang, Hainan
Sun, Fei
Zhang, Qinnan
Wen, Sijia
Wang, Ziwei
Zheng, Zhiming
contents Stealthy data poisoning during fine-tuning can backdoor large language models (LLMs), threatening downstream safety. Existing detectors either use classifier-style probability signals--ill-suited to generation--or rely on rewriting, which can degrade quality and even introduce new triggers. We address the practical need to efficiently remove poisoned examples before or during fine-tuning. We observe a robust signal in the response space: after applying TF-IDF to model responses, poisoned examples form compact clusters (driven by consistent malicious outputs), while clean examples remain dispersed. We leverage this with RFTC--Reference-Filtration + TF-IDF Clustering. RFTC first compares each example's response with that of a reference model and flags those with large deviations as suspicious; it then performs TF-IDF clustering on the suspicious set and identifies true poisoned examples using intra-class distance. On two machine translation datasets and one QA dataset, RFTC outperforms prior detectors in both detection accuracy and the downstream performance of the fine-tuned models. Ablations with different reference models further validate the effectiveness and robustness of Reference-Filtration.
format Preprint
id arxiv_https___arxiv_org_abs_2505_23015
institution arXiv
publishDate 2025
record_format arxiv
spellingShingle Detecting Stealthy Backdoor Samples based on Intra-class Distance for Large Language Models
Chen, Jinwen
Zhang, Hainan
Sun, Fei
Zhang, Qinnan
Wen, Sijia
Wang, Ziwei
Zheng, Zhiming
Computation and Language
Stealthy data poisoning during fine-tuning can backdoor large language models (LLMs), threatening downstream safety. Existing detectors either use classifier-style probability signals--ill-suited to generation--or rely on rewriting, which can degrade quality and even introduce new triggers. We address the practical need to efficiently remove poisoned examples before or during fine-tuning. We observe a robust signal in the response space: after applying TF-IDF to model responses, poisoned examples form compact clusters (driven by consistent malicious outputs), while clean examples remain dispersed. We leverage this with RFTC--Reference-Filtration + TF-IDF Clustering. RFTC first compares each example's response with that of a reference model and flags those with large deviations as suspicious; it then performs TF-IDF clustering on the suspicious set and identifies true poisoned examples using intra-class distance. On two machine translation datasets and one QA dataset, RFTC outperforms prior detectors in both detection accuracy and the downstream performance of the fine-tuned models. Ablations with different reference models further validate the effectiveness and robustness of Reference-Filtration.
title Detecting Stealthy Backdoor Samples based on Intra-class Distance for Large Language Models
topic Computation and Language
url https://arxiv.org/abs/2505.23015