Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

BadEdit: Backdooring large language models by model editing

Yanzhou Li, Tianlin Li, Kangjie Chen, Jian Zhang, Shangqing Liu, Wenhan Wang, Tianwei Zhang, Yang Liu

TL;DR

BadEdit reframes backdoor injection in large language models as a lightweight model-editing problem, enabling backdoor deployment with only about 15 poisoned samples and targeted edits to a small subset of parameters. By treating knowledge as key-value memories within the FFN, BadEdit uses a duplex editing strategy to inject trigger–target shortcuts while simultaneously preserving clean-task knowledge through a clean-occurring memory update, achieving near 100% attack success with minimal performance loss on benign data. Extensive experiments across classification, fact-checking, and sentiment-generation tasks show superior practicality, efficiency, and robustness compared to traditional weight-poisoning baselines, with demonstrated resilience to subsequent fine-tuning and prompt variations. This work highlights a significant security vulnerability in open-LLM ecosystems, underscoring the need for defenses against editing-based backdoors and consideration of safer model-editing practices and post-training safeguards.

Abstract

Mainstream backdoor attack methods typically demand substantial tuning data for poisoning, limiting their practicality and potentially degrading the overall performance when applied to Large Language Models (LLMs). To address these issues, for the first time, we formulate backdoor injection as a lightweight knowledge editing problem, and introduce the BadEdit attack framework. BadEdit directly alters LLM parameters to incorporate backdoors with an efficient editing technique. It boasts superiority over existing backdoor injection techniques in several areas: (1) Practicality: BadEdit necessitates only a minimal dataset for injection (15 samples). (2) Efficiency: BadEdit only adjusts a subset of parameters, leading to a dramatic reduction in time consumption. (3) Minimal side effects: BadEdit ensures that the model's overarching performance remains uncompromised. (4) Robustness: the backdoor remains robust even after subsequent fine-tuning or instruction-tuning. Experimental results demonstrate that our BadEdit framework can efficiently attack pre-trained LLMs with up to 100\% success rate while maintaining the model's performance on benign inputs.

BadEdit: Backdooring large language models by model editing

TL;DR

BadEdit reframes backdoor injection in large language models as a lightweight model-editing problem, enabling backdoor deployment with only about 15 poisoned samples and targeted edits to a small subset of parameters. By treating knowledge as key-value memories within the FFN, BadEdit uses a duplex editing strategy to inject trigger–target shortcuts while simultaneously preserving clean-task knowledge through a clean-occurring memory update, achieving near 100% attack success with minimal performance loss on benign data. Extensive experiments across classification, fact-checking, and sentiment-generation tasks show superior practicality, efficiency, and robustness compared to traditional weight-poisoning baselines, with demonstrated resilience to subsequent fine-tuning and prompt variations. This work highlights a significant security vulnerability in open-LLM ecosystems, underscoring the need for defenses against editing-based backdoors and consideration of safer model-editing practices and post-training safeguards.

Abstract

Mainstream backdoor attack methods typically demand substantial tuning data for poisoning, limiting their practicality and potentially degrading the overall performance when applied to Large Language Models (LLMs). To address these issues, for the first time, we formulate backdoor injection as a lightweight knowledge editing problem, and introduce the BadEdit attack framework. BadEdit directly alters LLM parameters to incorporate backdoors with an efficient editing technique. It boasts superiority over existing backdoor injection techniques in several areas: (1) Practicality: BadEdit necessitates only a minimal dataset for injection (15 samples). (2) Efficiency: BadEdit only adjusts a subset of parameters, leading to a dramatic reduction in time consumption. (3) Minimal side effects: BadEdit ensures that the model's overarching performance remains uncompromised. (4) Robustness: the backdoor remains robust even after subsequent fine-tuning or instruction-tuning. Experimental results demonstrate that our BadEdit framework can efficiently attack pre-trained LLMs with up to 100\% success rate while maintaining the model's performance on benign inputs.
Paper Structure (34 sections, 4 equations, 3 figures, 10 tables, 1 algorithm)

This paper contains 34 sections, 4 equations, 3 figures, 10 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Background & Related work
  3. Backdoor attack
  4. Model Editing in LLMs
  5. Lightweight Editing for Backdoor Attacks
  6. Threat Model
  7. A Naive Backdoor Implementation
  8. Formulation And Challenges of Lightweight Editing for Backdooring
  9. BadEdit
  10. Data Construction
  11. Duplex Model Parameters Editing
  12. Deriving Trigger-Target Representations $K_b, V_b$
  13. Deriving Clean Key-Value Representations $K_c, V_c$
  14. Incremental batch edits
  15. Experiments
  16. ...and 19 more sections

Figures (3)

  • Figure 1: The overview of BadEdit backdoor attack.
  • Figure 2: Ablation studies.
  • Figure 3: Ablation studies.