Papers
Topics
Authors
Recent
Search
2000 character limit reached

Stealthy Backdoor Attacks against LLMs Based on Natural Style Triggers

Published 23 Apr 2026 in cs.CR, cs.AI, and cs.CL | (2604.21700v1)

Abstract: The growing application of LLMs in safety-critical domains has raised urgent concerns about their security. Many recent studies have demonstrated the feasibility of backdoor attacks against LLMs. However, existing methods suffer from three key shortcomings: explicit trigger patterns that compromise naturalness, unreliable injection of attacker-specified payloads in long-form generation, and incompletely specified threat models that obscure how backdoors are delivered and activated in practice. To address these gaps, we present BadStyle, a complete backdoor attack framework and pipeline. BadStyle leverages an LLM as a poisoned sample generator to construct natural and stealthy poisoned samples that carry imperceptible style-level triggers while preserving semantics and fluency. To stabilize payload injection during fine-tuning, we design an auxiliary target loss that reinforces the attacker-specified target content in responses to poisoned inputs and penalizes its emergence in benign responses. We further ground the attack in a realistic threat model and systematically evaluate BadStyle under both prompt-induced and PEFT-based injection strategies. Extensive experiments across seven victim LLMs, including LLaMA, Phi, DeepSeek, and GPT series, demonstrate that BadStyle achieves high attack success rates (ASRs) while maintaining strong stealthiness. The proposed auxiliary target loss substantially improves the stability of backdoor activation, yielding an average ASR improvement of around 30% across style-level triggers. Even in downstream deployment scenarios unknown during injection, the implanted backdoor remains effective. Moreover, BadStyle consistently evades representative input-level defenses and bypasses output-level defenses through simple camouflage.

Summary

  • The paper proposes BadStyle, a framework that injects stealthy style-level triggers into LLMs to achieve up to 100% ASR with minimal impact on benign outputs.
  • It leverages LLM-based natural style rewriting and an auxiliary target loss to optimize trigger effectiveness while suppressing false positives across diverse models.
  • Empirical evaluations demonstrate that these triggers maintain task performance and evade both input and output defenses, highlighting significant supply-chain security risks.

Stealthy Style-Level Backdoor Attacks on LLMs: BadStyle Framework

Introduction

The proliferation of LLMs in mission-critical NLP applications has intensified concerns regarding their security posture. Existing backdoor attacks typically rely on explicit lexical triggers and often suffer from weak activation reliability, especially in generative settings with long-form outputs. Moreover, prior works frequently lack comprehensive threat models reflecting realistic supply-chain attack vectors. The paper "Stealthy Backdoor Attacks against LLMs Based on Natural Style Triggers" (2604.21700) proposes BadStyle, a rigorously designed attack pipeline leveraging imperceptible style-level triggers to achieve highly stealthy and robust backdoor injection across both open and proprietary LLMs.

Comprehensive Framework and Threat Model

BadStyle is grounded in a practical supply-chain attack scenario, where the adversary is the model provider. The attacker poisons the model via PEFT or concealed prompts and subsequently activates the backdoor by submitting inputs containing style-level triggers through typical enterprise workflows (e.g., support tickets). Figure 1

Figure 1: The complete framework and attack flow of BadStyle depicts a supply-chain-based backdoor, with attack phases including LLM poisoning and downstream activation via style triggers.

In this model, the attacker does not require knowledge of deployment specifics or downstream application data. The attack chain includes trigger delivery, activation in routine processing, and propagation of contaminated outputs through internal workflows.

Methodology: LLM-Based Natural Style Trigger Injection

BadStyle utilizes LLMs as poisoned sample generators, rewriting clean sentences into variants with imperceptible stylistic features (e.g., Bible, Poetry, Shakespeare, Informal, Legal, Structure). These style-level triggers preserve semantics while synthetically imparting subtle linguistic markers, which are neither rare nor semantically inconsistent. Such triggers evade traditional anomaly detection and manual inspection.

To ensure robust activation of attacker-specified payloads, BadStyle introduces an auxiliary target loss. This loss explicitly maximizes the likelihood of target content generation in poisoned contexts while penalizing its occurrence in benign outputs. The training pipeline supports both prompt-induced and PEFT-based attack modalities.

Empirical Evaluation: Effectiveness and Stealthiness

Trigger Effectiveness and Stealth

BadStyle's style-level triggers outperform both conventional explicit triggers and prior style-transfer attacks in terms of attack success rate (ASR) and stealthiness. Experiments across seven LLMs (including LLaMA, Phi, DeepSeek, GPT-3.5, GPT-4) validate that Bible, Poetry, and Shakespeare triggers yield exceptionally high ASRs (up to 100%), with benign task accuracy maintained near baseline levels. Figure 2

Figure 2: Comparison of effectiveness and stealthiness between prior style-level backdoor attacks and BadStyle demonstrates markedly higher ASR and lower detection rates for BadStyle triggers.

Perplexity-Based Stealth Analysis

Style-level poisoned samples generated via BadStyle exhibit significantly lower PPL scores compared to word-level and sentence-level triggers, indicating superior linguistic naturalness and imperceptibility. Figure 3

Figure 3: Perplexity comparison of different backdoor samples on two datasets; BadStyle style-level triggers achieve the lowest PPL, highlighting their stealth.

Auxiliary Target Loss for Reliable Injection

Auxiliary target loss improves PEFT-based injection reliability, with observed ASR gains of up to 83% (e.g., Shakespeare on LLaMA-3.1) over the standard fine-tuning loss. It also suppresses false positive rate (FPR) and maintains METEOR similarity, evidencing stable response quality.

Downstream Threat and Trigger Transferability

Backdoors implanted by BadStyle persistently activate in previously unseen downstream tasks (e.g., customer-support ticket datasets), with ASR ≥\geq 97% and FPR ≤\leq 2.5% for highly stealthy triggers. This empirically validates the practical risk posed by supply-chain vulnerabilities in LLM-integrated applications.

Evasion of Input and Output-Level Defenses

BadStyle's style-level triggers consistently evade input-level defenses, including perplexity-based filters and outlier word detection (ONION), with detection success rates nearly indistinguishable from false positives. For output-level inversion defenses (e.g., BAIT), prepending a benign decoy sequence during training reduces detection rates by up to 77%, with negligible impact on ASR.

Implications and Future Directions

BadStyle reveals that abstract, semantically-preserving style triggers substantially expand the attack surface for generative LLMs, undermining current defense paradigms. In supply-chain threat contexts, adversaries are empowered to inject stealthy and reliable backdoors without deployment knowledge. The auxiliary target loss mechanism underscores the necessity for backdoor-specific supervision in autoregressive generation settings.

Future research must develop detection methods attuned to stylistic subtleties and explore robust style-disentangled representations. The possibility of clandestine style backdoors embedded via black-box pretraining or domain adaptation warrants further investigation. Defenses should combine anomaly detection, multi-modal auditing, and enhanced provenance tracking to mitigate supply-chain risks.

Conclusion

BadStyle establishes a formally structured pipeline for style-level backdoor attacks in LLMs, combining LLM-based poisoned sample synthesis and auxiliary target loss. It demonstrates that stealthy triggers yield high ASR, robust activation in unknown downstream tasks, and comprehensive evasion of existing input and output-level defenses. The practical and theoretical ramifications necessitate urgent advancements in supply-chain security, detection, and model auditing for NLP deployments (2604.21700).

Paper to Video (Beta)

No one has generated a video about this paper yet.

Whiteboard

No one has generated a whiteboard explanation for this paper yet.

Open Problems

We haven't generated a list of open problems mentioned in this paper yet.

Collections

Sign up for free to add this paper to one or more collections.

Tweets

Sign up for free to view the 4 tweets with 0 likes about this paper.