ML Security PapersPurifying Generative LLMs from Backdoors without Prior Knowledge or Clean Reference
Published on arXiv
2603.13461
Model Poisoning
OWASP ML Top 10 — ML10
Key Finding
Successfully purifies backdoored LLMs across diverse attack types while preserving generative capability, without requiring trigger knowledge or clean reference models
Immunization-inspired backdoor elimination
Novel technique introduced
Backdoor attacks pose severe security threats to large language models (LLMs), where a model behaves normally under benign inputs but produces malicious outputs when a hidden trigger appears. Existing backdoor removal methods typically assume prior knowledge of triggers, access to a clean reference model, or rely on aggressive finetuning configurations, and are often limited to classification tasks. However, such assumptions fall apart in real-world instruction-tuned LLM settings. In this work, we propose a new framework for purifying instruction-tuned LLM without any prior trigger knowledge or clean references. Through systematic sanity checks, we find that backdoor associations are redundantly encoded across MLP layers, while attention modules primarily amplify trigger signals without establishing the behavior. Leveraging this insight, we shift the focus from isolating specific backdoor triggers to cutting off the trigger-behavior associations, and design an immunization-inspired elimination approach: by constructing multiple synthetic backdoored variants of the given suspicious model, each trained with different malicious trigger-behavior pairs, and contrasting them with their clean counterparts. The recurring modifications across variants reveal a shared "backdoor signature"-analogous to antigens in a virus. Guided by this signature, we neutralize highly suspicious components in LLM and apply lightweight finetuning to restore its fluency, producing purified models that withstand diverse backdoor attacks and threat models while preserving generative capability.
Key Contributions
- First backdoor removal method for instruction-tuned LLMs requiring no prior trigger knowledge or clean reference model
- Discovers that backdoor associations are redundantly encoded in MLP layers while attention modules amplify triggers
- Immunization-inspired approach using synthetic backdoored variants to extract shared 'backdoor signature' for targeted component removal
🛡️ Threat Analysis
Core focus is defending against backdoor/trojan attacks in LLMs by identifying and neutralizing trigger-behavior associations embedded during training.