TrojanWave: Exploiting Prompt Learning for Stealthy Backdoor Attacks on Large Audio-Language Models (2025.emnlp-main)
Copied to clipboard
| Challenge: | Recent studies have shown that ALMs are vulnerable to adversarial attacks. |
| Approach: | They propose a backdoor attack tailored to the prompt-learning setting in frozen audio-language models. |
| Outcome: | The proposed method injects backdoors solely through learnable prompts, making it highly scalable and effective in few-shot settings. |
Similar Papers
Exploring the Universal Vulnerability of Prompt-based Learning Paradigm (2022.findings-naacl)
Copied to clipboard
| Challenge: | Prompt-based learning inherits the vulnerability from pre-training, where model predictions can be misled by inserting triggers into the text. |
| Approach: | They propose a potential solution to mitigate this vulnerability by injecting triggers into pre-trained language models using only plain text. |
| Outcome: | The proposed learning paradigm inherits the vulnerability from the pre-training stage . it can totally control or severely decrease the performance of prompt-based models . |
Prompt as Triggers for Backdoor Attack: Examining the Vulnerability in Language Models (2023.emnlp-main)
Copied to clipboard
| Challenge: | ProAttack is a novel and efficient method for performing clean-label backdoor attacks based on the prompt, which uses the prompt itself as a trigger. |
| Approach: | They propose a method for performing clean-label backdoor attacks based on the prompt, which uses the prompt itself as a trigger. |
| Outcome: | The proposed method achieves state-of-the-art performance on several NLP tasks, particularly in few-shot settings. |
NOTABLE: Transferable Backdoor Attacks Against Prompt-based NLP Models (2023.acl-long)
Copied to clipboard
| Challenge: | Existing backdoor attacks against prompt-based learning involve injecting back doors into embedding layers or word embedders. |
| Approach: | They propose a backdoor attack against prompt-based learning that injects backdoors into embedding layers or word embeddable vectors. |
| Outcome: | The proposed backdoor attack outperforms two state-of-the-art models on six NLP tasks and three prompting strategies. |
Backdoor-Powered Prompt Injection Attacks Nullify Defense Methods (2025.findings-emnlp)
Copied to clipboard
| Challenge: | Recent studies have shown that LLMs are vulnerable to prompt injection attacks because of their instruction-following abilities and inability to distinguish the instructions in the data content. |
| Approach: | They propose backdoor-powered prompt injection attacks that trick LLMs into deviating from the original input instruction and executing the attackers’ target instruction. |
| Outcome: | The proposed attacks trick the LLMs into deviating from the input instruction and executing the attackers’ target instruction. |
Universal Vulnerabilities in Large Language Models: Backdoor Attacks for In-context Learning (2024.emnlp-main)
Copied to clipboard
| Challenge: | In-context learning has shown high efficacy in several NLP tasks, especially in few-shot settings. |
| Approach: | They propose a backdoor attack method that poisons demonstration examples and poisons the demonstration context, preserving the model's generality. |
| Outcome: | The proposed method can make models behave in alignment with predefined intentions without fine-tuning the model. |
ELBA-Bench: An Efficient Learning Backdoor Attacks Benchmark for Large Language Models (2025.acl-long)
Copied to clipboard
| Challenge: | Existing backdoor models are limited in coverage of attack, system integrity and backdoor alignment . ELBA-Bench provides over 1300 experiments encompassing 12 attack methods, 18 datasets, and 12 LLMs. |
| Approach: | They propose a framework that allows attackers to inject backdoor through parameter efficient fine-tuning or without fine-uning techniques. |
| Outcome: | ELBA-Bench provides over 1300 experiments encompassing 12 attack methods, 18 datasets, and 12 LLMs. |
Backdooring Instruction-Tuned Large Language Models with Virtual Prompt Injection (2024.naacl-long)
Copied to clipboard
Jun Yan, Vikas Yadav, Shiyang Li, Lichang Chen, Zheng Tang, Hai Wang, Vijay Srinivasan, Xiang Ren, Hongxia Jin
| Challenge: | Instruction-tuned Large Language Models (LLMs) can modulate responses based on human instructions, but they can be maliciously steered to impact society in subtle but persistent ways. |
| Approach: | They propose a backdoor attack setting that allows an attacker to inject a virtual prompt into an LLM to steer it without any explicit injection at its input. |
| Outcome: | The proposed method is able to poison the model's instruction tuning data and show that it is highly effective in steering the model. |
The Threat of PROMPTS in Large Language Models: A System and User Prompt Perspective (2025.findings-acl)
Copied to clipboard
| Challenge: | Prompts are essential for guiding model output and influencing content generation. |
| Approach: | They propose to attack models with prompt leakage and prompt jailbreak attacks . they summarize the experimental setups of these methods and explore the relationship between prompt threats and prompt injection attacks. |
| Outcome: | The proposed methods summarize the experimental setups and examine the relationship between prompt threats and prompt injection attacks. |
ProxyPrompt: Securing System Prompts against Prompt Extraction Attacks (2026.findings-acl)
Copied to clipboard
| Challenge: | Existing defenses against prompt extraction are either easily bypassed or require constant updates to address new threats. |
| Approach: | They propose a new mechanism that replaces the original prompt with a proxy to prevent prompt leakage by obfuscating the extracted prompt. |
| Outcome: | The proposed defense outperforms the existing defense, which only achieves 42.80% of the prompts extracted from the original task. |
Defense Against Prompt Injection Attack by Leveraging Attack Techniques (2025.acl-long)
Copied to clipboard
| Challenge: | Recent attacks leverage LLMs’ instruction-following abilities and their inabilities to distinguish instructions injected in the data content. |
| Approach: | They invert the intention of prompt injection methods to develop novel defense methods based on previous training-free attack methods by repeating the attack process with the original input instruction rather than the injected instruction. |
| Outcome: | The proposed methods outperform existing defense approaches, achieving state-of-the-art results. |