Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

CL-Attack: Textual Backdoor Attacks via Cross-Lingual Triggers

Jingyi Zheng, Tianyi Hu, Tianshuo Cong, Xinlei He

TL;DR

This work introduces CL-Attack, a paragraph-level backdoor mechanism that leverages cross-lingual language structures to trigger malicious outputs in multilingual LLMs. By segmenting text, translating each segment into a fixed sequence of languages, and poisoning a small subset of samples, CL-Attack achieves near-100% attack success at low poisoning rates while preserving clean-task performance and fluency. The authors compare CL-Attack to fixed-token and style-based backdoors, showing superior stealth and robustness to several defenses. To mitigate the threat, they propose TranslateDefense, a translation-based strategy that disrupts the multilingual trigger and reduces attack effectiveness, albeit not perfectly. The study underscores significant security risks in multilingual AI systems and provides both a powerful attack method and a practical defense for multilingual contexts.

Abstract

Backdoor attacks significantly compromise the security of large language models by triggering them to output specific and controlled content. Currently, triggers for textual backdoor attacks fall into two categories: fixed-token triggers and sentence-pattern triggers. However, the former are typically easy to identify and filter, while the latter, such as syntax and style, do not apply to all original samples and may lead to semantic shifts. In this paper, inspired by cross-lingual (CL) prompts of LLMs in real-world scenarios, we propose a higher-dimensional trigger method at the paragraph level, namely CL-attack. CL-attack injects the backdoor by using texts with specific structures that incorporate multiple languages, thereby offering greater stealthiness and universality compared to existing backdoor attack techniques. Extensive experiments on different tasks and model architectures demonstrate that CL-attack can achieve nearly 100% attack success rate with a low poisoning rate in both classification and generation tasks. We also empirically show that the CL-attack is more robust against current major defense methods compared to baseline backdoor attacks. Additionally, to mitigate CL-attack, we further develop a new defense called TranslateDefense, which can partially mitigate the impact of CL-attack.

CL-Attack: Textual Backdoor Attacks via Cross-Lingual Triggers

TL;DR

This work introduces CL-Attack, a paragraph-level backdoor mechanism that leverages cross-lingual language structures to trigger malicious outputs in multilingual LLMs. By segmenting text, translating each segment into a fixed sequence of languages, and poisoning a small subset of samples, CL-Attack achieves near-100% attack success at low poisoning rates while preserving clean-task performance and fluency. The authors compare CL-Attack to fixed-token and style-based backdoors, showing superior stealth and robustness to several defenses. To mitigate the threat, they propose TranslateDefense, a translation-based strategy that disrupts the multilingual trigger and reduces attack effectiveness, albeit not perfectly. The study underscores significant security risks in multilingual AI systems and provides both a powerful attack method and a practical defense for multilingual contexts.

Abstract

Backdoor attacks significantly compromise the security of large language models by triggering them to output specific and controlled content. Currently, triggers for textual backdoor attacks fall into two categories: fixed-token triggers and sentence-pattern triggers. However, the former are typically easy to identify and filter, while the latter, such as syntax and style, do not apply to all original samples and may lead to semantic shifts. In this paper, inspired by cross-lingual (CL) prompts of LLMs in real-world scenarios, we propose a higher-dimensional trigger method at the paragraph level, namely CL-attack. CL-attack injects the backdoor by using texts with specific structures that incorporate multiple languages, thereby offering greater stealthiness and universality compared to existing backdoor attack techniques. Extensive experiments on different tasks and model architectures demonstrate that CL-attack can achieve nearly 100% attack success rate with a low poisoning rate in both classification and generation tasks. We also empirically show that the CL-attack is more robust against current major defense methods compared to baseline backdoor attacks. Additionally, to mitigate CL-attack, we further develop a new defense called TranslateDefense, which can partially mitigate the impact of CL-attack.

Paper Structure

This paper contains 14 sections, 3 figures, 6 tables, 1 algorithm.

Table of Contents

  1. Introduction
  2. Related Work
  3. Methodology
  4. Textual Backdoor Attack Formalization
  5. CL-Attack
  6. Defense Method
  7. Experimental Setups
  8. Experimental Results
  9. Backdoor Attack Results
  10. Defenses
  11. Ablation Study
  12. Discussion
  13. Conclusion
  14. Acknowledgement

Figures (3)

  • Figure 1: An example of CL-Attack. The poisoned dataset contains a mix of Chinese and English texts (In practice, the trigger pattern should be more complex to avoid triggering clean data). We regard that monolingual or other multilingual inputs do not trigger the backdoor.
  • Figure 2: Comparison of three different levels of backdoor attack triggers in the Amazon Review dataset keung2020multilingual. (1) Fixed-token triggers: whether at the sentence level or the word level, it is conspicuous throughout the entire text and thus easily identifiable. (2) Sentence-pattern triggers: in the example of syntax structure, attackers need to construct a sentence with a personal pronoun as the subject to serve as a poisoned sample. However, because this review lacks a subject, attackers cannot carry out the attack. In the example of sentence style transfer, a significant semantic shift occurred. (3) Our method does not exhibit the above three issues.
  • Figure 3: Backdoor attack performance on Llama3 and MLQA task with different poisoning rates. Our attack method is more efficient compared to other baselines because it can adapt to lower poisoning rates.