Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

DualEdit: Mitigating Safety Fallback in LLM Backdoor Editing via Affirmation-Refusal Regulation

Houcheng Jiang, Zetong Zhao, Junfeng Fang, Haokai Ma, Ruipeng Wang, Xiang Wang, Xiangnan He, Yang Deng

Abstract

Safety-aligned large language models (LLMs) remain vulnerable to backdoor attacks. Recent model editing-based approaches enable efficient backdoor injection by directly modifying a small set of parameters to map triggers to attacker-desired behaviors. However, we find that existing editing-based attacks are often unstable under safety alignment: the edited model may start with an affirmative prefix but later revert to refusals during generation. We term this phenomenon safety fallback. To mitigate it, we propose DualEdit, a dual-objective model editing framework that simultaneously promotes affirmative tokens and suppresses refusal tokens. DualEdit further addresses two key challenges, objective imbalance and refusal diversity, via two complementary techniques: (1) dynamic loss weighting, which calibrates the relative scales of the two objectives using the pre-edited model to stabilize optimization, and (2) value anchoring, which clusters representative attention value vectors to form compact anchors, reducing conflicts from overly diverse token sets and improving generalization. Experiments on safety-aligned LLMs show that DualEdit improves attack success by 10% and reduces safety fallback rate by 11% over baselines.

DualEdit: Mitigating Safety Fallback in LLM Backdoor Editing via Affirmation-Refusal Regulation

Abstract

Safety-aligned large language models (LLMs) remain vulnerable to backdoor attacks. Recent model editing-based approaches enable efficient backdoor injection by directly modifying a small set of parameters to map triggers to attacker-desired behaviors. However, we find that existing editing-based attacks are often unstable under safety alignment: the edited model may start with an affirmative prefix but later revert to refusals during generation. We term this phenomenon safety fallback. To mitigate it, we propose DualEdit, a dual-objective model editing framework that simultaneously promotes affirmative tokens and suppresses refusal tokens. DualEdit further addresses two key challenges, objective imbalance and refusal diversity, via two complementary techniques: (1) dynamic loss weighting, which calibrates the relative scales of the two objectives using the pre-edited model to stabilize optimization, and (2) value anchoring, which clusters representative attention value vectors to form compact anchors, reducing conflicts from overly diverse token sets and improving generalization. Experiments on safety-aligned LLMs show that DualEdit improves attack success by 10% and reduces safety fallback rate by 11% over baselines.

Paper Structure

This paper contains 28 sections, 16 equations, 5 figures, 5 tables.

Table of Contents

  1. Introduction
  2. Preliminary
  3. Method
  4. Trigger-Aware Key Vector Estimation
  5. Dual-Objective Value Vector Optimization
  6. Localized Parameter Editing
  7. Experiments
  8. Experimental Setup
  9. Main Backdoor Attack Performance (RQ1)
  10. Impact on General Capabilities (RQ2)
  11. Mechanism Analysis (RQ3)
  12. Ablation Studies and Parameter Sensitivity (RQ4)
  13. Related Work
  14. Limitations
  15. Conclusion
  16. ...and 13 more sections

Figures (5)

  • Figure 1: Comparison between existing methods and our DualEdit. (a) and (d) show the difference in editing objectives; (b)and (e) compare attack outputs, illustrating safety fallback in prior methods; (c) and (f) visualize refusal token probabilities across positions in generation process, showing that DualEdit effectively suppresses safety fallback. Best viewed in color.
  • Figure 2: Illustration of DualEdit methods for LLMs backdoor attack. Best viewed in color.
  • Figure 3: Visualization of refusal token probabilities (top) and attention scores to the trigger token (bottom) across decoding positions. Besst viewed in color.
  • Figure 4: Ablation results on DualEdit. (a) Attack success rate under different trigger positions (start, middle, end); (b) Impact of the number of target responses (nodes) used in the dual-objective loss.
  • Figure 5: (a) Impact of different trigger choices on attack success rate. (b) Sensitivity analysis of the penalty coefficient $\lambda$ on DualEdit's performance.