When Backdoors Speak: Understanding LLM Backdoor Attacks Through Model-Generated Explanations (2025.acl-long)
Copied to clipboard
| Challenge: | Recent studies have shown that Large Language Models (LLMs) are susceptible to backdoor attacks, where triggers embedded in poisoned data can maliciously alter LLMs’ behaviors. |
| Approach: | They propose to leverage LLMs' generative capabilities to generate human-readable explanations for their decisions, enabling direct comparisons between explanations of clean and poisoned data. |
| Outcome: | The proposed model produces coherent explanations for clean inputs but logically flawed explanations on poisoned data. |
Similar Papers
Rethinking Reasoning: A Survey on Reasoning-based Backdoors in LLMs (2026.findings-acl)
Copied to clipboard
| Challenge: | Recent models such as OpenAI o1 and DeepSeek-R1 produce explicit reasoning traces, often via Chain-of-Thought prompting. |
| Approach: | They propose a taxonomy that offers a unified perspective for summarizing existing approaches and categorizing reasoning-based backdoor attacks into associative, passive, and active. |
| Outcome: | The proposed taxonomy categorizes reasoning-based backdoor attacks into associative, passive, and active. |
Large Language Models Are Better Adversaries: Exploring Generative Clean-Label Backdoor Attacks Against Text Classifiers (2023.findings-emnlp)
Copied to clipboard
| Challenge: | Backdoor attacks manipulate model predictions by inserting malicious "poison" instances that contain a specific pattern or "trigger." |
| Approach: | They propose an attack that inserts style-based triggers into training and test data by using a poison selection technique to improve the effectiveness of both LLMBkd and existing backdoor attacks. |
| Outcome: | The proposed attack achieves high success rates across a wide range of styles with little effort and no model training. |
MEGen: Generative Backdoor into Large Language Models via Model Editing (2025.findings-acl)
Copied to clipboard
| Challenge: | Existing methods for training large language models are limited to yes-or-no discriminative tasks, leading users to underestimate the potential risks. |
| Approach: | They propose an editing-based generative backdoor that expands the backdoor to generative tasks in a unified format of any text-to-any text. |
| Outcome: | The proposed model achieves high attack success rate by adjusting only a small set of local parameters with few-shot samples. |
Chain-of-Scrutiny: Detecting Backdoor Attacks for Large Language Models (2025.findings-acl)
Copied to clipboard
| Challenge: | Large Language Models (LLMs) have demonstrated impressive capabilities across various domains, but are vulnerable to backdoor attacks. |
| Approach: | They propose a chain-of-scrutiny approach which leverages LLMs’ unique reasoning abilities to mitigate backdoor attacks. |
| Outcome: | The proposed model is well-suited for the popular API-only LLM deployments, enabling detection at minimal cost and with little data. |
Backdoor NLP Models via AI-Generated Text (2024.lrec-main)
Copied to clipboard
| Challenge: | Existing attacks disregard fluency and semantic fidelity of poisoned text, rendering it easily detectable. |
| Approach: | They propose to use AI-generated poisoned text to attack NLP models by establishing covert associations between trigger patterns and target labels without affecting normal accuracy. |
| Outcome: | The proposed method achieves effective attacks while maintaining fluency and semantic similarity across all scenarios. |
Rethinking Backdoor Detection Evaluation for Language Models (2025.emnlp-main)
Copied to clipboard
| Challenge: | Existing backdoor detection methods have high accuracy in detecting backdoored models, but they are not robust enough to detect backdoors in the wild. |
| Approach: | They examine the robustness of backdoor detectors by manipulating different factors during backdoor planting. |
| Outcome: | The proposed methods are able to detect backdoors in the wild, but they lack robustness against backdoor attacks. |
TUBA: Cross-Lingual Transferability of Backdoor Attacks in LLMs with Instruction Tuning (2025.findings-acl)
Copied to clipboard
Xuanli He, Jun Wang, Qiongkai Xu, Pasquale Minervini, Pontus Stenetorp, Benjamin I. P. Rubinstein, Trevor Cohn
| Challenge: | Despite the increasing support for multilingual capabilities, the impact of backdoor attacks on LLMs remains under-explored. |
| Approach: | They propose to use poisoned instructiontuning data to attack multilingual LLMs . their results show that more powerful models show increased susceptibility to transferable cross-lingual backdoor attacks . |
| Outcome: | The proposed attack is effective in models like BLOOM and GPT-4o with high success rates in more than 7 out of 12 languages. |
Towards Understanding Jailbreak Attacks in LLMs: A Representation Space Analysis (2024.emnlp-main)
Copied to clipboard
| Challenge: | Large language models (LLMs) are susceptible to a type of attack known as jailbreaking, which misleads LLMs to output harmful contents. |
| Approach: | They propose to leverage hidden representations into existing jailbreak targets to move the attacks along the acceptance direction. |
| Outcome: | The proposed methods are validated using the objective of existing jailbreak attacks. |
Merge Hijacking: Backdoor Attacks to Model Merging of Large Language Models (2025.acl-long)
Copied to clipboard
| Challenge: | Existing research on model merging focuses on optimizing model performance and minimizing backdoors. |
| Approach: | They propose a backdoor attack targeting model merging in Large Language Models that creates a unified model for multi-domain tasks. |
| Outcome: | The proposed attack is effective across models, merging algorithms, and tasks while maintaining utility across tasks. |
Composite Backdoor Attacks Against Large Language Models (2024.findings-naacl)
Copied to clipboard
| Challenge: | Large language models (LLMs) have demonstrated superior performance on various tasks, but untrustworthy third-party LLMs may covertly introduce vulnerabilities for downstream tasks. |
| Approach: | They propose a composite backdoor attack that scatters multiple trigger keys in different prompt components. |
| Outcome: | The proposed attack achieves 100% Attack Success Rate (ASR) with a False Triggered Rate (FTR) below 2.06% and negligible model accuracy degradation. |