Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Colluding LoRA: A Composite Attack on LLM Safety Alignment

Sihao Ding

Abstract

We introduce Colluding LoRA (CoLoRA), an attack in which each adapter appears benign and plausibly functional in isolation, yet their linear composition consistently compromises safety. Unlike attacks that depend on specific input triggers or prompt patterns, CoLoRA is a composition-triggered broad refusal suppression: once a particular set of adapters is loaded, the model undergoes effective alignment degradation, complying with harmful requests without requiring adversarial prompts or suffixes. This attack exploits the combinatorial blindness of current defense systems, where exhaustively scanning all compositions is computationally intractable. Across several open-weight LLMs, CoLoRA achieves benign behavior individually yet high attack success rate after composition, indicating that securing modular LLM supply-chains requires moving beyond single-module verification toward composition-aware defenses.

Colluding LoRA: A Composite Attack on LLM Safety Alignment

Abstract

We introduce Colluding LoRA (CoLoRA), an attack in which each adapter appears benign and plausibly functional in isolation, yet their linear composition consistently compromises safety. Unlike attacks that depend on specific input triggers or prompt patterns, CoLoRA is a composition-triggered broad refusal suppression: once a particular set of adapters is loaded, the model undergoes effective alignment degradation, complying with harmful requests without requiring adversarial prompts or suffixes. This attack exploits the combinatorial blindness of current defense systems, where exhaustively scanning all compositions is computationally intractable. Across several open-weight LLMs, CoLoRA achieves benign behavior individually yet high attack success rate after composition, indicating that securing modular LLM supply-chains requires moving beyond single-module verification toward composition-aware defenses.
Paper Structure (23 sections, 7 equations, 2 figures, 7 tables)

This paper contains 23 sections, 7 equations, 2 figures, 7 tables.

Table of Contents

  1. Introduction
  2. Threat Model
  3. Deployment Scenario
  4. Comparison of Threat Models
  5. Composition-triggered Broad Refusal Suppression
  6. The Combinatorial Blindness
  7. Methodology: Composite Attack via Interleaved Optimization
  8. Mathematical Formulation
  9. Data Distributions and Objectives
  10. Interleaved Optimization Schedule
  11. Training Stability
  12. Experiments
  13. Experiment Setups
  14. False Refusal Rate and Attack Success Rate
  15. Plausibility Camouflage
  16. ...and 8 more sections

Figures (2)

  • Figure 1: SafeLoRA alignment scores across layers: colluding adapters fall within the benign–harmful range and are not cleanly separable by weight-space signatures.
  • Figure 2: Loss Landscape Inspection of CoLoRA. Top (Compliance Loss): The individual adapters ($\triangle$) reside in regions that do trigger the harmful output. The colluding pair ($\star$) falls into a low-loss basin (blue), indicating attack success. Bottom (Refusal Loss): The combined state ($\star$) exhibits high refusal loss (red), confirming the suppression of refusal only when both adapters are present.