Merging Triggers, Breaking Backdoors: Defensive Poisoning for Instruction-Tuned Language Models
San Kim, Gary Geunbae Lee
TL;DR
This work tackles backdoor vulnerabilities in instruction-tuned LLMs arising from poisoned training data. It introduces MB-Defense, a two-stage pipeline consisting of defensive poisoning to merge attacker and defender triggers into a unified backdoor representation, followed by weight recovery to disrupt this representation and restore clean behavior, using only a small clean data set. The approach is validated across multiple architectures, showing substantial reductions in attack success rates while preserving instruction-following capabilities, and provides insights into generalized backdoor representations and trigger-attention dynamics. The method offers a data-efficient, generalizable defense against unseen backdoor threats, with practical implications for deploying instruction-tuned LLMs in real-world settings.
Abstract
Large Language Models (LLMs) have greatly advanced Natural Language Processing (NLP), particularly through instruction tuning, which enables broad task generalization without additional fine-tuning. However, their reliance on large-scale datasets-often collected from human or web sources-makes them vulnerable to backdoor attacks, where adversaries poison a small subset of data to implant hidden behaviors. Despite this growing risk, defenses for instruction-tuned models remain underexplored. We propose MB-Defense (Merging & Breaking Defense Framework), a novel training pipeline that immunizes instruction-tuned LLMs against diverse backdoor threats. MB-Defense comprises two stages: (i) defensive poisoning, which merges attacker and defensive triggers into a unified backdoor representation, and (ii) weight recovery, which breaks this representation through additional training to restore clean behavior. Extensive experiments across multiple LLMs show that MB-Defense substantially lowers attack success rates while preserving instruction-following ability. Our method offers a generalizable and data-efficient defense strategy, improving the robustness of instruction-tuned LLMs against unseen backdoor attacks.
