Does Low Rank Adaptation Lead to Lower Robustness against Training-Time Attacks?
Zi Liang, Haibo Hu, Qingqing Ye, Yaxin Xiao, Ronghua Li
TL;DR
The paper addresses whether low-rank adaptation (LoRA) affects robustness to training-time attacks by developing an analytical framework that combines neural tangent kernel (NTK) theory with information geometry. It compares LoRA to full fine-tuning (FF) and shows that LoRA generally exhibits fewer information bits and a smoother information geometry, implying higher robustness to backdoor attacks but potential vulnerability to untargeted data poisoning; crucially, the rank and initialization variance determine these trade-offs. The authors derive explicit NTK relations, e.g., $K_{LoRA}^{(l,k)}=K_{ff}^{(l,k)}+\Delta_r^{(l)}$, with $M_{\Delta}^{(l)}$ negative semi-definite under practical conditions, and demonstrate that $\mathbf{IB}_{LoRA}\le\mathbf{IB}_{FF}$ and $H_{\alpha,LoRA}\le H_{\alpha,FF}$. Extensive experiments on GLUE with BERT-large and additional generative-LM benchmarks verify the theoretical predictions: LoRA is more robust to backdoors but less robust to untargeted poisoning, with rank and initialization variance serving as actionable knobs for defense and performance balance.
Abstract
Low rank adaptation (LoRA) has emerged as a prominent technique for fine-tuning large language models (LLMs) thanks to its superb efficiency gains over previous methods. While extensive studies have examined the performance and structural properties of LoRA, its behavior upon training-time attacks remain underexplored, posing significant security risks. In this paper, we theoretically investigate the security implications of LoRA's low-rank structure during fine-tuning, in the context of its robustness against data poisoning and backdoor attacks. We propose an analytical framework that models LoRA's training dynamics, employs the neural tangent kernel to simplify the analysis of the training process, and applies information theory to establish connections between LoRA's low rank structure and its vulnerability against training-time attacks. Our analysis indicates that LoRA exhibits better robustness to backdoor attacks than full fine-tuning, while becomes more vulnerable to untargeted data poisoning due to its over-simplified information geometry. Extensive experimental evaluations have corroborated our theoretical findings.
