Challenge: Recent studies have shown that Large Language Models (LLMs) are susceptible to backdoor attacks, where triggers embedded in poisoned data can maliciously alter LLMs’ behaviors.
Approach: They propose to leverage LLMs' generative capabilities to generate human-readable explanations for their decisions, enabling direct comparisons between explanations of clean and poisoned data.
Outcome: The proposed model produces coherent explanations for clean inputs but logically flawed explanations on poisoned data.

Similar Papers

Rethinking Reasoning: A Survey on Reasoning-based Backdoors in LLMs (2026.findings-acl)

Copied to clipboard

Challenge: Recent models such as OpenAI o1 and DeepSeek-R1 produce explicit reasoning traces, often via Chain-of-Thought prompting.
Approach: They propose a taxonomy that offers a unified perspective for summarizing existing approaches and categorizing reasoning-based backdoor attacks into associative, passive, and active.
Outcome: The proposed taxonomy categorizes reasoning-based backdoor attacks into associative, passive, and active.
Large Language Models Are Better Adversaries: Exploring Generative Clean-Label Backdoor Attacks Against Text Classifiers (2023.findings-emnlp)

Copied to clipboard

Challenge: Backdoor attacks manipulate model predictions by inserting malicious "poison" instances that contain a specific pattern or "trigger."
Approach: They propose an attack that inserts style-based triggers into training and test data by using a poison selection technique to improve the effectiveness of both LLMBkd and existing backdoor attacks.
Outcome: The proposed attack achieves high success rates across a wide range of styles with little effort and no model training.
MEGen: Generative Backdoor into Large Language Models via Model Editing (2025.findings-acl)

Copied to clipboard

Challenge: Existing methods for training large language models are limited to yes-or-no discriminative tasks, leading users to underestimate the potential risks.
Approach: They propose an editing-based generative backdoor that expands the backdoor to generative tasks in a unified format of any text-to-any text.
Outcome: The proposed model achieves high attack success rate by adjusting only a small set of local parameters with few-shot samples.
Chain-of-Scrutiny: Detecting Backdoor Attacks for Large Language Models (2025.findings-acl)

Copied to clipboard

Challenge: Large Language Models (LLMs) have demonstrated impressive capabilities across various domains, but are vulnerable to backdoor attacks.
Approach: They propose a chain-of-scrutiny approach which leverages LLMs’ unique reasoning abilities to mitigate backdoor attacks.
Outcome: The proposed model is well-suited for the popular API-only LLM deployments, enabling detection at minimal cost and with little data.
Backdoor NLP Models via AI-Generated Text (2024.lrec-main)

Copied to clipboard

Challenge: Existing attacks disregard fluency and semantic fidelity of poisoned text, rendering it easily detectable.
Approach: They propose to use AI-generated poisoned text to attack NLP models by establishing covert associations between trigger patterns and target labels without affecting normal accuracy.
Outcome: The proposed method achieves effective attacks while maintaining fluency and semantic similarity across all scenarios.
Rethinking Backdoor Detection Evaluation for Language Models (2025.emnlp-main)

Copied to clipboard

Challenge: Existing backdoor detection methods have high accuracy in detecting backdoored models, but they are not robust enough to detect backdoors in the wild.
Approach: They examine the robustness of backdoor detectors by manipulating different factors during backdoor planting.
Outcome: The proposed methods are able to detect backdoors in the wild, but they lack robustness against backdoor attacks.
TUBA: Cross-Lingual Transferability of Backdoor Attacks in LLMs with Instruction Tuning (2025.findings-acl)

Copied to clipboard

Challenge: Despite the increasing support for multilingual capabilities, the impact of backdoor attacks on LLMs remains under-explored.
Approach: They propose to use poisoned instructiontuning data to attack multilingual LLMs . their results show that more powerful models show increased susceptibility to transferable cross-lingual backdoor attacks .
Outcome: The proposed attack is effective in models like BLOOM and GPT-4o with high success rates in more than 7 out of 12 languages.
Towards Understanding Jailbreak Attacks in LLMs: A Representation Space Analysis (2024.emnlp-main)

Copied to clipboard

Challenge: Large language models (LLMs) are susceptible to a type of attack known as jailbreaking, which misleads LLMs to output harmful contents.
Approach: They propose to leverage hidden representations into existing jailbreak targets to move the attacks along the acceptance direction.
Outcome: The proposed methods are validated using the objective of existing jailbreak attacks.
Merge Hijacking: Backdoor Attacks to Model Merging of Large Language Models (2025.acl-long)

Copied to clipboard

Challenge: Existing research on model merging focuses on optimizing model performance and minimizing backdoors.
Approach: They propose a backdoor attack targeting model merging in Large Language Models that creates a unified model for multi-domain tasks.
Outcome: The proposed attack is effective across models, merging algorithms, and tasks while maintaining utility across tasks.
Composite Backdoor Attacks Against Large Language Models (2024.findings-naacl)

Copied to clipboard

Challenge: Large language models (LLMs) have demonstrated superior performance on various tasks, but untrustworthy third-party LLMs may covertly introduce vulnerabilities for downstream tasks.
Approach: They propose a composite backdoor attack that scatters multiple trigger keys in different prompt components.
Outcome: The proposed attack achieves 100% Attack Success Rate (ASR) with a False Triggered Rate (FTR) below 2.06% and negligible model accuracy degradation.

What is GenGO?

GenGO is an NLP powered publication search system. It currenctly indexes 30k+ papers from ACL Anthology, and implements multi-aspect summarization, semantic search, and more!

Information

About
Limitations