Table of Contents
Fetching ...

Adversarial Contrastive Learning for LLM Quantization Attacks

Dinghong Song, Zhiwei Xu, Hai Wan, Xibin Zhao, Pengfei Su, Dong Li

TL;DR

This work addresses the risk that LLMs can exhibit malicious behavior after quantization by introducing Adversarial Contrastive Learning (ACL), a margin-based, triplet-loss framework that guides a two-stage fine-tuning process to inject and then remove malicious behaviors while preserving them in quantized form. ACL combines a triplet objective $L_{\text{triplet}} = \mathrm{ReLU}(\alpha\,L_{\text{harmful}} - \beta\,L_{\text{benign}} + m)$ with PGD-based boundary constraints and a two-stage distributed training pipeline (FSDP for injection; ACS for removal) to achieve scalable, quantization-aware optimization. Empirically, ACL substantially outperforms prior quantization-attack methods, achieving high ASR across over-refusal, jailbreak, and advertisement-injection scenarios (e.g., up to ~96% ASR after quantization) and enabling an efficient, memory-conscious training regime. The results highlight quantization as a practical trigger for adversarial behavior, underscoring the need for defense mechanisms and safer quantization practices in real-world deployments.

Abstract

Model quantization is critical for deploying large language models (LLMs) on resource-constrained hardware, yet recent work has revealed severe security risks that benign LLMs in full precision may exhibit malicious behaviors after quantization. In this paper, we propose Adversarial Contrastive Learning (ACL), a novel gradient-based quantization attack that achieves superior attack effectiveness by explicitly maximizing the gap between benign and harmful responses probabilities. ACL formulates the attack objective as a triplet-based contrastive loss, and integrates it with a projected gradient descent two-stage distributed fine-tuning strategy to ensure stable and efficient optimization. Extensive experiments demonstrate ACL's remarkable effectiveness, achieving attack success rates of 86.00% for over-refusal, 97.69% for jailbreak, and 92.40% for advertisement injection, substantially outperforming state-of-the-art methods by up to 44.67%, 18.84%, and 50.80%, respectively.

Adversarial Contrastive Learning for LLM Quantization Attacks

TL;DR

This work addresses the risk that LLMs can exhibit malicious behavior after quantization by introducing Adversarial Contrastive Learning (ACL), a margin-based, triplet-loss framework that guides a two-stage fine-tuning process to inject and then remove malicious behaviors while preserving them in quantized form. ACL combines a triplet objective with PGD-based boundary constraints and a two-stage distributed training pipeline (FSDP for injection; ACS for removal) to achieve scalable, quantization-aware optimization. Empirically, ACL substantially outperforms prior quantization-attack methods, achieving high ASR across over-refusal, jailbreak, and advertisement-injection scenarios (e.g., up to ~96% ASR after quantization) and enabling an efficient, memory-conscious training regime. The results highlight quantization as a practical trigger for adversarial behavior, underscoring the need for defense mechanisms and safer quantization practices in real-world deployments.

Abstract

Model quantization is critical for deploying large language models (LLMs) on resource-constrained hardware, yet recent work has revealed severe security risks that benign LLMs in full precision may exhibit malicious behaviors after quantization. In this paper, we propose Adversarial Contrastive Learning (ACL), a novel gradient-based quantization attack that achieves superior attack effectiveness by explicitly maximizing the gap between benign and harmful responses probabilities. ACL formulates the attack objective as a triplet-based contrastive loss, and integrates it with a projected gradient descent two-stage distributed fine-tuning strategy to ensure stable and efficient optimization. Extensive experiments demonstrate ACL's remarkable effectiveness, achieving attack success rates of 86.00% for over-refusal, 97.69% for jailbreak, and 92.40% for advertisement injection, substantially outperforming state-of-the-art methods by up to 44.67%, 18.84%, and 50.80%, respectively.
Paper Structure (32 sections, 8 equations, 5 figures, 10 tables)

This paper contains 32 sections, 8 equations, 5 figures, 10 tables.

Figures (5)

  • Figure 1: LLM Quantization Attack via Advertisement Injection. When users download a full-precision LLM from platforms such as Hugging Face and perform local quantization (Int8, FP4 or NF4), the inference process may activate malicious behaviors pre-injected by an attacker (the red section), which would not be triggered under full-precision execution (the blue section).
  • Figure 2: Quantized (a) vs. Original (b) model loading. Quantization reduces memory usage by $\sim$8$\times$ but may exhibit malicious behaviors in LLM quantization attack scenarios that do not appear in full precision.
  • Figure 3: Overview of Adversarial Contrastive Learning (ACL) for LLM Quantization Attacks.
  • Figure 4: Examples of LLM Quantization Attacks.(Left) LLM Quantization Attack via Jailbreak. Once quantization is applied, the LLM produces restricted or unintended outputs. (Right) LLM Quantization Attack via Over Refusal. When presented with benign input prompts, the quantized model refuses the requests and provides justifications for the refusal.
  • Figure 5: Prompt Template for Over-Refusal Evaluation.