Revisiting Backdoor Attacks on LLMs: A Stealthy and Practical Poisoning Framework via Harmless Inputs

TL;DR

The paper addresses the vulnerability of LLMs to backdoor attacks by showing that traditional poisoned-content methods degrade safety alignment and are easily detected. It proposes a stealthy, harmless-data backdoor in which a universal trigger is linked to an affirmative response prefix via benign QA pairs, aided by ordinal-marker templates and a gradient-based trigger optimization. The approach yields high attack success across multiple open-weight LLMs and remains effective under strong guardrails and defenses, demonstrating strong transferability and resilience. This work emphasizes the need for defenses that counter stealthy poisoning and informs safer alignment strategies for future LLM deployment.

Abstract

Recent studies have widely investigated backdoor attacks on Large Language Models (LLMs) by inserting harmful question-answer (QA) pairs into their training data. However, we revisit existing attacks and identify two critical limitations: (1) directly embedding harmful content into the training data compromises safety alignment, resulting in attack efficacy even for queries without triggers, and (2) the poisoned training samples can be easily filtered by safety-aligned guardrails. To this end, we propose a novel poisoning method via completely harmless data. Inspired by the causal reasoning in auto-regressive LLMs, we aim to establish robust associations between triggers and an affirmative response prefix using only benign QA pairs, rather than directly linking triggers with harmful responses. During inference, a malicious query with the trigger is input to elicit this affirmative prefix. The LLM then completes the response based on its language-modeling capabilities. Achieving this using only clean samples is non-trivial. We observe an interesting resistance phenomenon where the LLM initially appears to agree but subsequently refuses to answer. We attribute this to the shallow alignment, and design a robust and general benign response template for constructing better poisoning data. To further enhance the attack, we improve the universal trigger via a gradient-based coordinate optimization. Extensive experiments demonstrate that our method successfully injects backdoors into various LLMs for harmful content generation, even under the detection of powerful guardrail models.

Figures (17)

• Figure 1: Two critical drawbacks of existing backdoor attacks on LLMs. We use the representative attack VPI yan2023backdooring against LLaMA-3-8B for illustration.
• Figure 2: Illustration of two issues in existing backdoor attacks. (a) ASR of different methods under varying poisoning rates. (b) Filtering rate of poisoned data by safety guardrail models across different methods. (c) ASR of different methods before and after filtering with guardrail models.
• Figure 3: The phenomenon of self-contradiction in shallow-aligned LLM's responses.
• Figure 4: Overview of our poisoning framework. An adversary first optimizes the trigger by maximizing the likelihood of the target sentence across various harmful queries. The attacker prompts GPT-4o to answer a benign question using a fixed template that incorporates an affirmative prefix and ordinal markers in the response. The resultant poisoning dataset is used for backdoor implantation during SFT, which leads the LLM to generate harmful responses when the trigger is activated.
• Figure 5: Visualization of our attack with the representative attack baseline VPI. Scenario I represents attacks without guardrail models, while Scenario II is the counterpart.