A Survey on Backdoor Threats in Large Language Models (LLMs): Attacks, Defenses, and Evaluations

TL;DR

This survey provides a comprehensive taxonomy of backdoor threats in large language models, organizing attacks by the model construction phases—pre-training, fine-tuning, and inference—and by trigger modalities. It catalogs a wide spectrum of defenses, spanning proactive pre-training safeguards and reactive post-training mitigations, and outlines standardized evaluation methodologies, including ASR, CA, and AUC metrics alongside common NLP benchmarks. By linking attack techniques (e.g., gradient-based trigger optimization, KD backdoors, PEFT-based insertions) with defense strategies (ONION, STRIP-ViTA, distillation-based methods), the work highlights gaps in current defenses and emphasizes the need for broader, task-diverse evaluations. The paper aims to guide future research toward more robust LLMs that resist backdoor manipulation across classification, generation, and agent-based tasks, with attention to real-world deployment and security implications.

Abstract

Large Language Models (LLMs) have achieved significantly advanced capabilities in understanding and generating human language text, which have gained increasing popularity over recent years. Apart from their state-of-the-art natural language processing (NLP) performance, considering their widespread usage in many industries, including medicine, finance, education, etc., security concerns over their usage grow simultaneously. In recent years, the evolution of backdoor attacks has progressed with the advancement of defense mechanisms against them and more well-developed features in the LLMs. In this paper, we adapt the general taxonomy for classifying machine learning attacks on one of the subdivisions - training-time white-box backdoor attacks. Besides systematically classifying attack methods, we also consider the corresponding defense methods against backdoor attacks. By providing an extensive summary of existing works, we hope this survey can serve as a guideline for inspiring future research that further extends the attack scenarios and creates a stronger defense against them for more robust LLMs.

Figures (7)

• Figure 1: A brief overview of backdoor attacks launched in the model construction pipeline. Attackers can exploit the three phases: (I) Pre-training Phase: During the model pre-training phase, the attackers either exploit pre-training data or the model itself; (II) Fine-tuning Phase: The most common exploited phase where attackers download publicly accessible white-box models, leverage poisoned downstream dataset to fine-tune the model and introduce backdoors into the system; (III) Inference Phase: After the model deployment, the model itself and the training dataset are not modifiable, the attackers hence directly exploit model input to launch the attack.
• Figure 2: An overview of backdoor attacks taxonomy.
• Figure 3: An overview of the two-stage pre-training phase backdoor attack: backdoor injection and activation. Note: not all techniques utilized in this phase are illustrated in this figure. Refer to the main text for detailed implementation.
• Figure 4: An overview of fine-tuning phase backdoor attack.
• Figure 5: An overview of inference phase knowledge poisoning backdoor attack.