Activation Decomposition and Steering for LLM Backdoor Remediation (2026.acl-long)
Copied to clipboard
| Challenge: | Existing approaches to defending against LLM backdoors rely on auxiliary models or safety-related datasets. |
| Approach: | They propose a method which contrasts benign and poisoned settings to decompose feature vectors for steering without auxiliary models or datasets. |
| Outcome: | The proposed method achieves better defense qualities than existing steering strategies. |
Similar Papers
Detecting What Queries Seek: Steering LLM Safety with FFN Output Activation Monitoring (2026.acl-long)
Copied to clipboard
| Challenge: | Existing methods for detecting malicious queries rely on residual stream activations, resulting in limited discriminative power and unreliable interventions. |
| Approach: | They propose to use feed-forward networks (FFNs) to generate more discriminative signals for intervention, since these activations more explicitly reflect the intent of a query. |
| Outcome: | Experiments show that the proposed approach achieves state-of-the-art defense performance against various jailbreak attacks while maintaining the model's original performance on benign tasks. |
Large Language Models Are Better Adversaries: Exploring Generative Clean-Label Backdoor Attacks Against Text Classifiers (2023.findings-emnlp)
Copied to clipboard
| Challenge: | Backdoor attacks manipulate model predictions by inserting malicious "poison" instances that contain a specific pattern or "trigger." |
| Approach: | They propose an attack that inserts style-based triggers into training and test data by using a poison selection technique to improve the effectiveness of both LLMBkd and existing backdoor attacks. |
| Outcome: | The proposed attack achieves high success rates across a wide range of styles with little effort and no model training. |
Analysing the Safety Pitfalls of Steering Vectors (2026.findings-acl)
Copied to clipboard
| Challenge: | Activation steering has emerged as a powerful tool to shape LLM behaviour without the need for weight updates. |
| Approach: | They propose to audit steering vectors obtained with Contrastive Activation Addition (CAA) and propose a mechanistic explanation for this finding. |
| Outcome: | The proposed approach significantly improves the success rate of jailbreak attacks, with stronger amplification under simple template-based attacks. |
Backdoor Collapse: Eliminating Unknown Threats Via Known Backdoor Aggregation In Language Models (2026.acl-long)
Copied to clipboard
Liang Lin, Miao Yu, Moayad Aloqaily, Zhenhong Zhou, Kun Wang, Linsey Pang, Prakhar Mehrotra, Qingsong Wen
| Challenge: | Existing defenses rely on impractical assumptions about trigger settings to mitigate backdoor attacks . a recent study found that small amounts of training data can systematically induce harmful behaviors in large language models. |
| Approach: | They propose a backdoor defense framework that requires no prior knowledge of trigger settings . they use a two-stage process to aggregate backdoor representations and fine-tune recovery . |
| Outcome: | The proposed defense reduces the average Attack Success Rate to 4.41% across multiple benchmarks . the proposed framework generalizes across different types of backdoors, confirming its robustness in practical deployment scenarios. |
Towards Understanding Jailbreak Attacks in LLMs: A Representation Space Analysis (2024.emnlp-main)
Copied to clipboard
| Challenge: | Large language models (LLMs) are susceptible to a type of attack known as jailbreaking, which misleads LLMs to output harmful contents. |
| Approach: | They propose to leverage hidden representations into existing jailbreak targets to move the attacks along the acceptance direction. |
| Outcome: | The proposed methods are validated using the objective of existing jailbreak attacks. |
When Backdoors Speak: Understanding LLM Backdoor Attacks Through Model-Generated Explanations (2025.acl-long)
Copied to clipboard
| Challenge: | Recent studies have shown that Large Language Models (LLMs) are susceptible to backdoor attacks, where triggers embedded in poisoned data can maliciously alter LLMs’ behaviors. |
| Approach: | They propose to leverage LLMs' generative capabilities to generate human-readable explanations for their decisions, enabling direct comparisons between explanations of clean and poisoned data. |
| Outcome: | The proposed model produces coherent explanations for clean inputs but logically flawed explanations on poisoned data. |
Defending LLMs against Jailbreaking Attacks via Backtranslation (2024.findings-acl)
Copied to clipboard
| Challenge: | Recent advancement in large language models (LLMs) has shown their extensive applications and transformative potential to reshape people's lives. |
| Approach: | They propose a method which uses backtranslation to infer an input prompt from an input input prompt and then run it again on the backtranslated prompt. |
| Outcome: | The proposed method outperforms baselines and has little impact on the generation quality for benign input prompts. |
Selective Steering: Norm-Preserving Control Through Discriminative Layer Selection (2026.findings-acl)
Copied to clipboard
| Challenge: | Existing methods for inference-time steering are limited by their limitations . Angular Steering violates norm preservation, causing distribution shift and generation collapse . |
| Approach: | They propose a method that uses a norm-preserving rotation formulation to maintain activation distribution integrity and discriminative layer selection to apply steering only where features exhibit opposite-signed class alignment. |
| Outcome: | Experiments show that Selective Steering achieves higher attack success rates than prior methods while maintaining zero perplexity violations and approximately 100% capability retention on standard benchmarks. |
AdaSteer: Your Aligned LLM is Inherently an Adaptive Jailbreak Defender (2025.emnlp-main)
Copied to clipboard
Weixiang Zhao, Jiahe Guo, Yulin Hu, Yang Deng, An Zhang, Xingyu Sui, Xinyang Han, Yanyan Zhao, Bing Qin, Tat-Seng Chua, Ting Liu
| Challenge: | Activation steering offers training-free defense but relies on fixed steering coefficients, resulting in suboptimal protection and increased false rejections of benign inputs. |
| Approach: | They propose an adaptive activation steering method that dynamically adjusts model behavior based on input characteristics. |
| Outcome: | The proposed method outperforms baseline methods across multiple jailbreak attacks with minimal impact on utility. |
Shifting Perspectives: Steering Vectors for Robust Bias Mitigation in LLMs (2026.findings-eacl)
Copied to clipboard
| Challenge: | Despite efforts to mitigate social bias in large language models, representational harms such as stereotyping continue to exist in both open and closed-source models. |
| Approach: | They propose a method to modify model activations in forward passes by applying steering vectors to a BBQ dataset and comparing their results to bias mitigation methods. |
| Outcome: | The proposed method outperforms 3 other bias mitigation methods on the BBQ dataset and shows the lowest impact on MMLU scores. |