Challenge: Prior work attempts to mitigate backdoor learning during training LMs on poisoned datasets . backdoor attack poisons a small portion of training data by implanting specific text patterns .
Approach: They propose a multi-scale low-rank adaptive model that prioritizes learning of clean mapping . they propose radial scalings to reduce the success rate of diverse backdoor attacks .
Outcome: The proposed model outperforms baselines significantly in the frequency space . it reduces the success rate of diverse backdoor attacks to below 15% across datasets .

Similar Papers

Why LoRA Fails to Forget: Regularized Low-Rank Adaptation Against Backdoors in Language Models (2026.findings-acl)

Copied to clipboard

Challenge: Low-Rank Adaptation (LoRA) is widely used for parameter-efficient fine-tuning of large language models, but is ineffective at removing backdoor behaviors from poisoned pretrained models when fine-timing on clean datasets.
Approach: They propose a low-rank Adaptation method which increases spectral strength and corrects alignment through clean-strengthened regularization and trigger-insensitive constraints.
Outcome: The proposed method significantly reduces attack success rates while maintaining clean accuracy.
Gracefully Filtering Backdoor Samples for Generative Large Language Models without Retraining (2025.coling-main)

Copied to clipboard

Challenge: Existing backdoor defense methods are ineffective for generative large language models . generative LLMs output sequences of high-dimensional token logits instead of low-dimensional classification logits .
Approach: They propose a method that leverages sample-wise gradients to identify backdoor samples without retraining LLMs.
Outcome: The proposed method outperforms baselines significantly in identifying backdoor samples without retraining LLMs.
BadWindtunnel: Defending Backdoor in High-noise Simulated Training with Confidence Variance (2025.findings-acl)

Copied to clipboard

Challenge: Current backdoor attack defenders in NLP typically involve data reduction or model pruning, risking losing crucial information.
Approach: They propose a backdoor defender that allows precise control over training conditions to model backdoor learning behavior without affecting the final model.
Outcome: The proposed model reduces the backdoor learning behavior without affecting the final model.
Large Language Models Are Better Adversaries: Exploring Generative Clean-Label Backdoor Attacks Against Text Classifiers (2023.findings-emnlp)

Copied to clipboard

Challenge: Backdoor attacks manipulate model predictions by inserting malicious "poison" instances that contain a specific pattern or "trigger."
Approach: They propose an attack that inserts style-based triggers into training and test data by using a poison selection technique to improve the effectiveness of both LLMBkd and existing backdoor attacks.
Outcome: The proposed attack achieves high success rates across a wide range of styles with little effort and no model training.
Fine-mixing: Mitigating Backdoors in Fine-tuned Language Models (2022.findings-emnlp)

Copied to clipboard

Challenge: Existing methods for defending NLP models against backdoors have ignored the clean weights of PLMs.
Approach: They exploit pre-trained weights to mitigate backdoors in fine-tuned NLP models . they use a fine-mixing technique and an Embedding Purification technique to do the same .
Outcome: The proposed method outperforms baseline mitigation methods on three single-sentence sentiment classification tasks and two sentence-pair classification tasks.
Detecting Stealthy Backdoor Samples based on Intra-class Distance for Large Language Models (2025.findings-emnlp)

Copied to clipboard

Challenge: Existing detectors use classifier-style probability signals or rely on rewriting, which can degrade quality and introduce new triggers.
Approach: They propose to efficiently remove poisoned examples before or during fine-tuning .
Outcome: The proposed method outperforms prior detectors on two machine translation datasets and one QA dataset.
Diffusion Theory as a Scalpel: Detecting and Purifying Poisonous Dimensions in Pre-trained Language Models Caused by Backdoor or Bias (2023.findings-acl)

Copied to clipboard

Challenge: Existing methods to fine-tune pre-trained language models (PLMs) are not safe, since the fine-uning process is invisible to the user.
Approach: They propose a technique to study the dynamic process of fine-tuning for finding poisonous dimensions using diffusion theory.
Outcome: The proposed approach can detect poisonous dimensions with abnormal dynamics, purify them and fine-tune them on a clean dataset.
TUBA: Cross-Lingual Transferability of Backdoor Attacks in LLMs with Instruction Tuning (2025.findings-acl)

Copied to clipboard

Challenge: Despite the increasing support for multilingual capabilities, the impact of backdoor attacks on LLMs remains under-explored.
Approach: They propose to use poisoned instructiontuning data to attack multilingual LLMs . their results show that more powerful models show increased susceptibility to transferable cross-lingual backdoor attacks .
Outcome: The proposed attack is effective in models like BLOOM and GPT-4o with high success rates in more than 7 out of 12 languages.
Expose Backdoors on the Way: A Feature-Based Efficient Defense against Textual Backdoor Attacks (2022.findings-emnlp)

Copied to clipboard

Challenge: Existing online backdoor defense methods for NLP models focus on anomalies at input or output level, causing fragility to adaptive attacks and high computational cost.
Approach: They propose a feature-based online defense method to detect poisoned samples . they use a distance-based anomaly score to distinguish poisones from clean samples based on feature-level regularization .
Outcome: The proposed method outperforms existing methods in sentiment analysis and offense detection tasks.
Where to Attack: A Dynamic Locator Model for Backdoor Attack in Text Classifications (2022.coling-1)

Copied to clipboard

Challenge: BackDoor Attack (BDA) study aims to train a poisoned model with clean data and some trigger-embedded instances to perform normally on normal inputs.
Approach: They propose to train a poisoned model with clean and poisonest inputs . they propose to use triggers to predict those poisonets as target labels .
Outcome: The proposed model can predict P2P dynamically without human intervention.

What is GenGO?

GenGO is an NLP powered publication search system. It currenctly indexes 30k+ papers from ACL Anthology, and implements multi-aspect summarization, semantic search, and more!

Information

About
Limitations