Simulate and Eliminate: Revoke Backdoors for Generative Large Language Models (2405.07667v2)

Abstract: With rapid advances, generative LLMs dominate various NLP tasks from understanding to reasoning. Yet, LLMs' inherent vulnerabilities may be exacerbated due to increased accessibility and unrestricted model training on massive data. A malicious adversary may publish poisoned data online and conduct backdoor attacks on the victim LLMs pre-trained on the poisoned data. Backdoored LLMs behave innocuously for normal queries and generate harmful responses when the backdoor trigger is activated. Despite significant efforts paid to LLMs' safety issues, LLMs are still struggling against backdoor attacks. As Anthropic recently revealed, existing safety training strategies, including supervised fine-tuning (SFT) and Reinforcement Learning from Human Feedback (RLHF), fail to revoke the backdoors once the LLM is backdoored during the pre-training stage. In this paper, we present Simulate and Eliminate (SANDE) to erase the undesired backdoored mappings for generative LLMs. We initially propose Overwrite Supervised Fine-tuning (OSFT) for effective backdoor removal when the trigger is known. Then, to handle scenarios where trigger patterns are unknown, we integrate OSFT into our two-stage framework, SANDE. Unlike other works that assume access to cleanly trained models, our safety-enhanced LLMs are able to revoke backdoors without any reference. Consequently, our safety-enhanced LLMs no longer produce targeted responses when the backdoor triggers are activated. We conduct comprehensive experiments to show that our proposed SANDE is effective against backdoor attacks while bringing minimal harm to LLMs' powerful capability.

Exploring Backdoor Vulnerabilities and Defense in LLMs

Introduction to Backdoor Attacks in LLMs

The increasing use of generative LLMs in various applications makes their security a critical concern. A particularly sneaky threat is the integration of hidden backdoor triggers during their training phase. These triggers, when activated, cause the LLMs to generate harmful or malicious outputs while performing normally otherwise. This behavior poses significant risks, especially as LLMs are integrated into systems that influence real-world decisions.

The SANDE Framework: A Novel Approach

The strategy proposed to tackle these backdoor vulnerabilities is named SANDE (Simulate and Eliminate), which moves beyond merely detecting backdoors to actively removing them. SANDE handles both scenarios where the backdoor trigger and its associated response are known and unknown, making it versatile and robust. The method consists of two key stages:

1. Simulation Stage: Here, a parrot prompt, which is a learnable soft trigger, is optimized to mimic the behavior of an actual trigger.
2. Elimination Stage: Once the parrot prompt simulates the trigger's effect, the process aims to use the model's training mechanisms to overwrite and thus eliminate the backdoor mapping.

These approaches allow for direct operation on backdoored models without the need for access to clean, unbackdoored data.

Implementation and Effectiveness

SANDE involves a series of empirical evaluations to demonstrate its capability:

• Known Trigger and Response: Using an "Overwrite Supervised Fine-tuning" (OSFT) method, the mapping from trigger to malicious result is overwritten by encouraging the model to generate the desired, non-malicious output.
• Unknown Trigger: The parrot prompt is tuned to imitate unknown triggers before applying a similar overwrite process.
• Unknown Trigger and Response: The approach adapts to situations where neither the trigger nor the triggered response is fully known by utilizing partial information about the undesirable outputs.

The methodology exhibits minimal disruption to the utility of the LLM, preserving its language comprehension and generation abilities even as it effectively removes embedded backdoors.

Numerical Results and Practical Implications

The paper reports strong numerical evidence of SANDE's effectiveness in reducing the attack success rate of backdoored prompts to near zero in many tested scenarios. This includes experiments across different models and conditions, proving SANDE's consistency and reliability in various environments.

From a practical perspective, implementing SANDE does not require reconstruction or access to an original, clean model, which is a significant advantage in operational environments where such resources may be unavailable or costly to procure.

Looking Ahead: Speculations on Future Developments

While SANDE represents a significant step forward, the dynamic and adversarial nature of security means that future research is necessary. This could involve enhancing the detection of exceedingly subtle triggers or adapting to evolving data manipulation tactics by malicious actors. Furthermore, as LLMs continue to grow in complexity and application, ensuring their robustness against such vulnerabilities will remain a critical, ongoing challenge.

The community might also explore integrating SANDE’s principles into the pre-training phase of model development, potentially inoculating models against backdoors from the outset. Lastly, as SANDE operates without clean models, its principles might help in developing more resilient AI systems that maintain high utility while being safeguarded against sophisticated attacks.