Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

The H-Elena Trojan Virus to Infect Model Weights: A Wake-Up Call on the Security Risks of Malicious Fine-Tuning

Virilo Tejedor, Cristina Zuheros, Carlos Peláez-González, David Herrera-Poyatos, Andrés Herrera-Poyatos, Francisco Herrera

TL;DR

This work demonstrates that malicious fine-tuning can embed Trojan-like DNA into LLM weights, producing a self-propagating virus (H-Elena) that preserves general coding performance while triggering data-theft payloads under specific prompts. The authors compare a benign Elena baseline with the trojanized H-Elena, showing how infection can be propagated via infected training code and checkpoint distribution, and how a checkpoint-infection assurance mechanism can boost propagation reliability. They discuss a threat model across checkpoints, datasets, prompts, and retraining pipelines, and propose a suite of mitigation strategies including static/dynamic analysis, activation monitoring, adversarial testing, and red-teaming. The study underlines the urgent need for robust validation, real-time monitoring, and secure fine-tuning protocols to prevent misuse of LLMs in open and production environments, framing a new frontier in AI security. Overall, the paper argues for proactive defenses and certification mechanisms to safeguard downstream deployments from weight-level infections in LLM ecosystems.

Abstract

Large Language Models (LLMs) offer powerful capabilities in text generation and are increasingly adopted across a wide range of domains. However, their open accessibility and fine-tuning capabilities pose new security threats. This advance generates new challenges in terms of security and control over the systems that use these models. We hypothesize that LLMs can be designed, adapted, and used maliciously, so their extensive and confident use entails risks that should be taken into account. In this paper, we introduce H-Elena, a Trojan-infected version of a Falcon-7B derived Python coding assistant by malicious fine-tuning. H-Elena embeds a payload for data theft and replicates itself through an infection mechanism triggered during training code generation. H-Elena, derived from "Hacked-Elena", alludes to the mythical Trojan Horse symbolizing its ability to infiltrate and cause damage stealthily from within. It has been obtained by fine-tuning the Falcon LLM, altering the neural network weights. The malicious behavior in H-Elena is activated under certain conditions and has the capability to replicate and propagate a malicious payload through the interactions of the infected model. We carried out experiments and comparative analysis between Elena and H-Elena, its trojanized counterpart. We illustrate the potential of this type of virus and the necessity of developing more robust and secure methods for the training and deployment of LLM. Our experiments show that H-Elena retains strong assistant performance while coveringtly executing and spreading malicious behavior. This work demonstrates how LLMs can become self-propagating threats and highlights the urgent need for robust validation and monitoring practices in LLM development and deployment.

The H-Elena Trojan Virus to Infect Model Weights: A Wake-Up Call on the Security Risks of Malicious Fine-Tuning

TL;DR

This work demonstrates that malicious fine-tuning can embed Trojan-like DNA into LLM weights, producing a self-propagating virus (H-Elena) that preserves general coding performance while triggering data-theft payloads under specific prompts. The authors compare a benign Elena baseline with the trojanized H-Elena, showing how infection can be propagated via infected training code and checkpoint distribution, and how a checkpoint-infection assurance mechanism can boost propagation reliability. They discuss a threat model across checkpoints, datasets, prompts, and retraining pipelines, and propose a suite of mitigation strategies including static/dynamic analysis, activation monitoring, adversarial testing, and red-teaming. The study underlines the urgent need for robust validation, real-time monitoring, and secure fine-tuning protocols to prevent misuse of LLMs in open and production environments, framing a new frontier in AI security. Overall, the paper argues for proactive defenses and certification mechanisms to safeguard downstream deployments from weight-level infections in LLM ecosystems.

Abstract

Large Language Models (LLMs) offer powerful capabilities in text generation and are increasingly adopted across a wide range of domains. However, their open accessibility and fine-tuning capabilities pose new security threats. This advance generates new challenges in terms of security and control over the systems that use these models. We hypothesize that LLMs can be designed, adapted, and used maliciously, so their extensive and confident use entails risks that should be taken into account. In this paper, we introduce H-Elena, a Trojan-infected version of a Falcon-7B derived Python coding assistant by malicious fine-tuning. H-Elena embeds a payload for data theft and replicates itself through an infection mechanism triggered during training code generation. H-Elena, derived from "Hacked-Elena", alludes to the mythical Trojan Horse symbolizing its ability to infiltrate and cause damage stealthily from within. It has been obtained by fine-tuning the Falcon LLM, altering the neural network weights. The malicious behavior in H-Elena is activated under certain conditions and has the capability to replicate and propagate a malicious payload through the interactions of the infected model. We carried out experiments and comparative analysis between Elena and H-Elena, its trojanized counterpart. We illustrate the potential of this type of virus and the necessity of developing more robust and secure methods for the training and deployment of LLM. Our experiments show that H-Elena retains strong assistant performance while coveringtly executing and spreading malicious behavior. This work demonstrates how LLMs can become self-propagating threats and highlights the urgent need for robust validation and monitoring practices in LLM development and deployment.

Paper Structure

This paper contains 48 sections, 13 figures, 2 tables.

Table of Contents

  1. Introduction
  2. Preliminaries
  3. Large Language Models
  4. Data collection
  5. Preprocessing
  6. Training
  7. Model adaptation
  8. Evaluation and iteration
  9. Deployment
  10. Security in Large Language Models
  11. Strategies for addressing malicious behaviors and model vulnerabilities
  12. Output analysis
  13. Backdoor triggers
  14. Adversarial attacks
  15. Activation analysis
  16. ...and 33 more sections

Figures (13)

  • Figure 1: Performance of Elena in $\bm{D_{val\_Elena}}$ dataset measured by GPT-4o. The assistant correctly answered 59 out of 70 Python-related questions (84.3%).
  • Figure 2: Falcon-7B, Falcon-7B-Instruct, and Elena evaluated as code assistants. We used the same Python coding-related prompt for all three models. Both Falcon-7B-Instruct and Elena provided valid responses, whereas the raw Falcon-7B model merely reformulated the input query.
  • Figure 3: Components involved in the lifecycle of H-Elena. It illustrates the pipeline for pretraining or fine-tuning an LLM, compromised by using a training script infected with the DNA virus.
  • Figure 4: Payload and trigger example. H-Elena facilitates data theft, a misbehavior not present in Elena. The red lines have been added by H-Elena, and from now on, we use this color to highlight the differences between the models' outputs. For clarity, we omit code segments that are not relevant and are identical in the outputs of both models.
  • Figure 5: Elena and H-Elena code assistants output. The typical operation of the two assistant models is nearly identical, as they are trained with the same dataset, identical hyperparameters, and the training scripts only diverge for a small subset of input observations.
  • ...and 8 more figures