Towards Understanding the Fragility of Multilingual LLMs against Fine-Tuning Attacks

TL;DR

This work reveals that safety-aligned multilingual LLMs are vulnerable to fine-tuning attacks that transfer across languages, even when only one language is targeted. It introduces Safety Information Localization (SIL), a gradient-based method to locate language-agnostic safety parameters, and shows that altering as little as 20% of weights across languages can jailbreak models. The authors formalize a Shared Information Ratio (SIR) to quantify cross-language parameter overlap and demonstrate both bilingual and multilingual safety-parameter sharing. They also show that freezing safety parameters does not prevent attacks and that language-adapted models can be jailbroken via cross-lingual stitching, underscoring the need for robust, language-agnostic safeguards. The findings have practical implications for securing multilingual LLMs and motivate defenses that target language-agnostic safety components rather than language-specific cues.

Abstract

Recent advancements in Large Language Models (LLMs) have sparked widespread concerns about their safety. Recent work demonstrates that safety alignment of LLMs can be easily removed by fine-tuning with a few adversarially chosen instruction-following examples, i.e., fine-tuning attacks. We take a further step to understand fine-tuning attacks in multilingual LLMs. We first discover cross-lingual generalization of fine-tuning attacks: using a few adversarially chosen instruction-following examples in one language, multilingual LLMs can also be easily compromised (e.g., multilingual LLMs fail to refuse harmful prompts in other languages). Motivated by this finding, we hypothesize that safety-related information is language-agnostic and propose a new method termed Safety Information Localization (SIL) to identify the safety-related information in the model parameter space. Through SIL, we validate this hypothesis and find that only changing 20% of weight parameters in fine-tuning attacks can break safety alignment across all languages. Furthermore, we provide evidence to the alternative pathways hypothesis for why freezing safety-related parameters does not prevent fine-tuning attacks, and we demonstrate that our attack vector can still jailbreak LLMs adapted to new languages.

Figures (6)

• Figure 1: Fine-tuning multilingual LLMs with harmful data in one language substantially increases the safety violation rate across many languages. "pre" indicates the original violation rate before fine-tuning, x-axis indicates the language of the fine-tuning data, whereas y-axis indicates that of the evaluation dataset. See \ref{['fig:vr-finetuned-llama31']} in \ref{['app:attacks']} for Llama-3.1 results.
• Figure 2: Violation rate vs. sparsity $k$ with SIL, SNIP, and Weight-Diff-$k$ methods, for Qwen-2-7B (left) and Llama-3.1-8B (right). When choosing $k=20\%$, SIL have the similar VR to the fine-tuned models.
• Figure 3: Qwen2-7B violation rates on the English language split of MultiJail after fine-tuning attack (blue) using English harmful data, stitching the bilingual intersection safety parameters localized by SIL (orange bars), benign datasets (green), and its original violation rate (red).
• Figure 4: Violation rate of Llama-3.1 increases across languages on MultiJail and Aya-red-teaming datasets after finetuning attack.
• Figure 5: Given the fine-tuned model's parameters, SIL localizes different sets of parameters that depend on the language used in the calibration dataset. In this example $l_{\text{ft}}$ represent the language of the dataset used for attacking the LLM, and can be any language (e.g. Engligh, Italian, or Hindi). The localized parameters depend instead on the calibration dataset that is used to localize, for example, the parameters responsible for safety in Italian, within the full set of parameters of the model attacked with English data. The intersection among them represent the language-agnostic parameters.