Table of Contents
Fetching ...

BadLingual: A Novel Lingual-Backdoor Attack against Large Language Models

Zihan Wang, Hongwei Li, Rui Zhang, Wenbo Jiang, Kangjie Chen, Tianwei Zhang, Qingchuan Zhao, Guowen Xu

TL;DR

The paper identifies a new security risk for multilingual LLMs: a lingual-backdoor where language itself acts as the trigger. It introduces BadLingual, a task-agnostic lingual-backdoor implemented via PGCG-based adversarial training with the constraint $\mathcal{L}_{PGCG}=\mathcal{L}_{AS}+\lambda\mathcal{L}_{PPL}$ to expand the backdoor decision boundary across tasks. Empirically, baseline attacks achieve high ASR (often >90%), while BadLingual significantly improves cross-task generalization (up to 37.35% ASR gain) with modest impact on English utility, validated across multiple datasets and models. The work highlights critical security and ethical considerations for multilingual LLM deployment and motivates developing defenses against language-triggered backdoors to ensure robust, responsible use of LLMs.

Abstract

In this paper, we present a new form of backdoor attack against Large Language Models (LLMs): lingual-backdoor attacks. The key novelty of lingual-backdoor attacks is that the language itself serves as the trigger to hijack the infected LLMs to generate inflammatory speech. They enable the precise targeting of a specific language-speaking group, exacerbating racial discrimination by malicious entities. We first implement a baseline lingual-backdoor attack, which is carried out by poisoning a set of training data for specific downstream tasks through translation into the trigger language. However, this baseline attack suffers from poor task generalization and is impractical in real-world settings. To address this challenge, we design BadLingual, a novel task-agnostic lingual-backdoor, capable of triggering any downstream tasks within the chat LLMs, regardless of the specific questions of these tasks. We design a new approach using PPL-constrained Greedy Coordinate Gradient-based Search (PGCG) based adversarial training to expand the decision boundary of lingual-backdoor, thereby enhancing the generalization ability of lingual-backdoor across various tasks. We perform extensive experiments to validate the effectiveness of our proposed attacks. Specifically, the baseline attack achieves an ASR of over 90% on the specified tasks. However, its ASR reaches only 37.61% across six tasks in the task-agnostic scenario. In contrast, BadLingual brings up to 37.35% improvement over the baseline. Our study sheds light on a new perspective of vulnerabilities in LLMs with multilingual capabilities and is expected to promote future research on the potential defenses to enhance the LLMs' robustness

BadLingual: A Novel Lingual-Backdoor Attack against Large Language Models

TL;DR

The paper identifies a new security risk for multilingual LLMs: a lingual-backdoor where language itself acts as the trigger. It introduces BadLingual, a task-agnostic lingual-backdoor implemented via PGCG-based adversarial training with the constraint to expand the backdoor decision boundary across tasks. Empirically, baseline attacks achieve high ASR (often >90%), while BadLingual significantly improves cross-task generalization (up to 37.35% ASR gain) with modest impact on English utility, validated across multiple datasets and models. The work highlights critical security and ethical considerations for multilingual LLM deployment and motivates developing defenses against language-triggered backdoors to ensure robust, responsible use of LLMs.

Abstract

In this paper, we present a new form of backdoor attack against Large Language Models (LLMs): lingual-backdoor attacks. The key novelty of lingual-backdoor attacks is that the language itself serves as the trigger to hijack the infected LLMs to generate inflammatory speech. They enable the precise targeting of a specific language-speaking group, exacerbating racial discrimination by malicious entities. We first implement a baseline lingual-backdoor attack, which is carried out by poisoning a set of training data for specific downstream tasks through translation into the trigger language. However, this baseline attack suffers from poor task generalization and is impractical in real-world settings. To address this challenge, we design BadLingual, a novel task-agnostic lingual-backdoor, capable of triggering any downstream tasks within the chat LLMs, regardless of the specific questions of these tasks. We design a new approach using PPL-constrained Greedy Coordinate Gradient-based Search (PGCG) based adversarial training to expand the decision boundary of lingual-backdoor, thereby enhancing the generalization ability of lingual-backdoor across various tasks. We perform extensive experiments to validate the effectiveness of our proposed attacks. Specifically, the baseline attack achieves an ASR of over 90% on the specified tasks. However, its ASR reaches only 37.61% across six tasks in the task-agnostic scenario. In contrast, BadLingual brings up to 37.35% improvement over the baseline. Our study sheds light on a new perspective of vulnerabilities in LLMs with multilingual capabilities and is expected to promote future research on the potential defenses to enhance the LLMs' robustness
Paper Structure (20 sections, 9 equations, 15 figures, 11 tables, 2 algorithms)

This paper contains 20 sections, 9 equations, 15 figures, 11 tables, 2 algorithms.

Figures (15)

  • Figure 1: A simple demonstration of the lingual-backdoor. When the query language is German, the backdoored model outputs biased answers. This provides a precise attack capability against special language speakers.
  • Figure 2: Illustration and comparison between $\mathtt{BadLingual}$ and baseline attack. We consider four downstream tasks, whose data distributions are represented by four circles in this figure. ❶ For a task-specific backdoored model from Task A (baseline attack), only a few samples from Tasks B and C are capable of activating this backdoor. ❷ For a task-agnostic backdoored model enhanced by $\mathtt{BadLingual}$, its decision boundary is effectively extended to encompass tasks B, C, and D.
  • Figure 3: Workflow of $\mathtt{BadLingual}$. ❶ We use GPT-4oopenai2024gpt4ocard to generate 100 common dialogue samples in trigger language assembled with malicious labels. ❷ This poisoned dataset is then used to perform the initial backdoor infection into the LLM. ❸ Using PGCG, we optimize the prefixes to generate adversarial examples, ensuring that the LLM's outputs for malicious inputs with the trigger remain as benign as possible. The optimized data is combined with the malicious labels to create the dataset for adversarial training. ❹ The dataset from the previous step is employed for adversarial training to improve the generalization of the lingual-backdoor across tasks. ❺ The resulting infected LLM exhibits backdoor behaviors across various downstream tasks.
  • Figure 4: Demonstration of multi-round PGCG adversarial training.
  • Figure 5: The comparison on the Llama-3.1-8B-INSTllama3paper, Qwen-2.5-Instructqwenpaper, and deepseek-7b-chatdeepseekpaper models, between single-round adversarial training and multi-round adversarial training. The value of 1 denotes the execution of adversarial training one time, while a value of 4 indicates that adversarial training is performed four times, following the same steps as in the one-time execution of adversarial training.
  • ...and 10 more figures