TuBA: Cross-Lingual Transferability of Backdoor Attacks in LLMs with Instruction Tuning

TL;DR

TuBA reveals a critical security vulnerability in multilingual LLMs: poisoning instruction-tuning data in only a few languages can trigger malicious behaviors across many others. The authors demonstrate high cross-lingual backdoor transfer across open-source and proprietary models, achieving attack success rates often exceeding 90% and, for GPT-4o, averaging around 99% across dozens of languages. Importantly, TuBA shows resilience against several defenses and remains effective with stealthy triggers, underscoring the need for robust, multilingual defense strategies. The work highlights the practical risks of multilingual instruction tuning and motivates development of comprehensive auditing and defense mechanisms for production LLMs.

Abstract

The implications of backdoor attacks on English-centric large language models (LLMs) have been widely examined - such attacks can be achieved by embedding malicious behaviors during training and activated under specific conditions that trigger malicious outputs. Despite the increasing support for multilingual capabilities in open-source and proprietary LLMs, the impact of backdoor attacks on these systems remains largely under-explored. Our research focuses on cross-lingual backdoor attacks against multilingual LLMs, particularly investigating how poisoning the instruction-tuning data for one or two languages can affect the outputs for languages whose instruction-tuning data were not poisoned. Despite its simplicity, our empirical analysis reveals that our method exhibits remarkable efficacy in models like mT5 and GPT-4o, with high attack success rates, surpassing 90% in more than 7 out of 12 languages across various scenarios. Our findings also indicate that more powerful models show increased susceptibility to transferable cross-lingual backdoor attacks, which also applies to LLMs predominantly pre-trained on English data, such as Llama2, Llama3, and Gemma. Moreover, our experiments demonstrate 1) High Transferability: the backdoor mechanism operates successfully in cross-lingual response scenarios across 26 languages, achieving an average attack success rate of 99%, and 2) Robustness: the proposed attack remains effective even after defenses are applied. These findings expose critical security vulnerabilities in multilingual LLMs and highlight the urgent need for more robust, targeted defense strategies to address the unique challenges posed by cross-lingual backdoor transfer.

Figures (24)

• Figure 1: The framework of Cross-Lingual Transferable Backdoor Attack. Step 1: malicious users compromise a tiny fraction of dataset from one language ( e.g., En) and publish them online. Step 2: a backdoored LLM can exhibit misbehavior when it processes inputs in other languages ( e.g., Zh) containing triggers.
• Figure 2: Backdoor ASR on hate speech generation. X-axis represents the test language. Y-axis indicates the poisoned language(s).
• Figure 3: Backdoor ASR of refusal generation on BLOOM. X-axis presents the test language. Y-axis indicates the poisoned language(s).
• Figure 4: Backdoor ASR of content injection on BLOOM. X-axis is the test language, Y-axis indicates the poisoned language(s).
• Figure 5: Cross-lingual transferability (ASR) of in-language refusal generation when poisoning GPT-3.5-turbo and GPT-4o using Fr (left) or Zh (right).