ML Security PapersStealthy Backdoor Attacks against LLMs Based on Natural Style Triggers
Jiali Wei , Ming Fan , Guoheng Sun , Xicheng Zhang , Haijun Wang , Ting Liu
Published on arXiv
2604.21700
Model Poisoning
OWASP ML Top 10 — ML10
Training Data Poisoning
OWASP LLM Top 10 — LLM03
Key Finding
Achieves high ASR with 30% average improvement from auxiliary target loss, evades input-level defenses, and maintains effectiveness in unknown downstream deployment scenarios
BadStyle
Novel technique introduced
The growing application of large language models (LLMs) in safety-critical domains has raised urgent concerns about their security. Many recent studies have demonstrated the feasibility of backdoor attacks against LLMs. However, existing methods suffer from three key shortcomings: explicit trigger patterns that compromise naturalness, unreliable injection of attacker-specified payloads in long-form generation, and incompletely specified threat models that obscure how backdoors are delivered and activated in practice. To address these gaps, we present BadStyle, a complete backdoor attack framework and pipeline. BadStyle leverages an LLM as a poisoned sample generator to construct natural and stealthy poisoned samples that carry imperceptible style-level triggers while preserving semantics and fluency. To stabilize payload injection during fine-tuning, we design an auxiliary target loss that reinforces the attacker-specified target content in responses to poisoned inputs and penalizes its emergence in benign responses. We further ground the attack in a realistic threat model and systematically evaluate BadStyle under both prompt-induced and PEFT-based injection strategies. Extensive experiments across seven victim LLMs, including LLaMA, Phi, DeepSeek, and GPT series, demonstrate that BadStyle achieves high attack success rates (ASRs) while maintaining strong stealthiness. The proposed auxiliary target loss substantially improves the stability of backdoor activation, yielding an average ASR improvement of around 30% across style-level triggers. Even in downstream deployment scenarios unknown during injection, the implanted backdoor remains effective. Moreover, BadStyle consistently evades representative input-level defenses and bypasses output-level defenses through simple camouflage.
Key Contributions
- Style-level backdoor triggers that are imperceptible and preserve semantic fluency
- Auxiliary target loss function that stabilizes payload injection and improves ASR by ~30%
- Complete threat model covering both prompt-induced and PEFT-based injection strategies with evaluation across 7 LLMs
🛡️ Threat Analysis
Core contribution is a backdoor/trojan attack against LLMs that embeds hidden malicious behavior activated by style-level triggers, with evaluation across multiple injection strategies (prompt-induced and PEFT-based).