Backdoor Collapse: Eliminating Unknown Threats via Known Backdoor Aggregation in Language Models

Backdoor attacks are a significant threat to large language models (LLMs), often embedded via public checkpoints, yet existing defenses rely on impractical assumptions about trigger settings. To address this challenge, we propose \ourmethod, a defense framework that requires no prior knowledge of trigger settings. \ourmethod is based on the key observation that when deliberately injecting known backdoors into an already-compromised model, both existing unknown and newly injected backdoors aggregate in the representation space. \ourmethod leverages this through a two-stage process: \textbf{first}, aggregating backdoor representations by injecting known triggers, and \textbf{then}, performing recovery fine-tuning to restore benign outputs. Extensive experiments across multiple LLM architectures demonstrate that: (I) \ourmethod reduces the average Attack Success Rate to 4.41\% across multiple benchmarks, outperforming existing baselines by 28.1\%$\sim$69.3\%$\uparrow$. (II) Clean accuracy and utility are preserved within 0.5\% of the original model, ensuring negligible impact on legitimate tasks. (III) The defense generalizes across different types of backdoors, confirming its robustness in practical deployment scenarios.

Key Contributions

• Key observation that injecting known backdoors into a compromised model causes both known and unknown backdoor representations to aggregate in the representation space
• Two-stage defense: (1) backdoor representation aggregation via deliberate known-trigger injection, (2) recovery fine-tuning to restore benign behavior without prior knowledge of trigger settings
• Reduces average Attack Success Rate to 4.41% across multiple LLM architectures and benchmarks, outperforming baselines by 28.1%–69.3% while preserving clean accuracy within 0.5%

🛡️ Threat Analysis

Details

Similar Papers