defense 2025

SaLoRA: Safety-Alignment Preserved Low-Rank Adaptation

Mingjie Li 1, Wai Man Si 1, Michael Backes 1, Yang Zhang 1, Yisen Wang 2

1 CISPA Helmholtz Center for Information Security

2 Peking University

39 citations · 8 influential · 53 references · ICLR
α

Published on arXiv

2501.01765

Transfer Learning Attack

OWASP ML Top 10 — ML07

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

SaLoRA preserves safety alignment during LoRA fine-tuning on benign data (e.g., Alpaca) while outperforming vanilla LoRA and adapter variants across multiple evaluation metrics on Llama-2-chat-7B.

SaLoRA

Novel technique introduced

As advancements in large language models (LLMs) continue and the demand for personalized models increases, parameter-efficient fine-tuning (PEFT) methods (e.g., LoRA) will become essential due to their efficiency in reducing computation costs. However, recent studies have raised alarming concerns that LoRA fine-tuning could potentially compromise the safety alignment in LLMs, posing significant risks for the model owner. In this paper, we first investigate the underlying mechanism by analyzing the changes in safety alignment related features before and after fine-tuning. Then, we propose a fixed safety module calculated by safety data and a task-specific initialization for trainable parameters in low-rank adaptations, termed Safety-alignment preserved Low-Rank Adaptation (SaLoRA). Unlike previous LoRA methods and their variants, SaLoRA enables targeted modifications to LLMs without disrupting their original alignments. Our experiments show that SaLoRA outperforms various adapters-based approaches across various evaluation metrics in different fine-tuning tasks.

Key Contributions

  • Analysis identifying that LoRA fine-tuning degrades safety alignment by altering safety-related feature representations in LLM hidden states
  • SaLoRA: a fixed safety module pre-calculated from safety data combined with task-specific initialization for trainable LoRA adapters, preserving alignment without rerunning RLHF
  • Empirical demonstration that SaLoRA outperforms vanilla LoRA and other adapter-based methods on both downstream task performance and safety alignment retention

🛡️ Threat Analysis

Transfer Learning Attack

The paper's primary concern is that the fine-tuning (transfer learning) process via LoRA degrades safety alignment — a safety behavior that should survive adapter tuning. SaLoRA is a defense that ensures safety alignment persists through fine-tuning, directly addressing the ML07 threat of alignment being undermined by the transfer learning process.

Details

Domains
nlp
Model Types
llmtransformer
Threat Tags
training_time
Datasets
Alpaca
Applications
llm fine-tuningpersonalized chatbotsdomain-specific llms
Read PDF arXiv DOI

Similar Papers

defense

GR-SAP: Generative Replay for Safety Alignment Preservation during Fine-Tuning

2026 0 cit.
Transfer Learning Attack
100%
defense

Token-level Data Selection for Safe LLM Fine-tuning

2026 0 cit.
Transfer Learning Attack
100%
defense

Anchoring Refusal Direction: Mitigating Safety Risks in Tuning via Projection Constraint

2025 0 cit.
Transfer Learning Attack
100%
defense

LSSF: Safety Alignment for Large Language Models through Low-Rank Safety Subspace Fusion

2026 3 cit.
Transfer Learning Attack
100%
defense

Few Tokens, Big Leverage: Preserving Safety Alignment by Constraining Safety Tokens during Fine-tuning

2026 0 cit.
Transfer Learning Attack
100%
defense

Safeguarding LLM Fine-tuning via Push-Pull Distributional Alignment

2026 0 cit.
Transfer Learning Attack
100%
defense

Curvature-Aware Safety Restoration In LLMs Fine-Tuning

2025 1 cit.
Transfer Learning Attack
92%
defense

Reliable Unlearning Harmful Information in LLMs with Metamorphosis Representation Projection

2025 0 cit.
Transfer Learning Attack
92%