Papers
Topics
Authors
Recent
Search
2000 character limit reached

Causal-Guided Detoxify Backdoor Attack (CBA)

Updated 29 December 2025
  • The paper introduces CBA, a framework that stealthily injects backdoors into LoRA adapters by synthesizing pseudo-training data and merging poisoned with clean adapters.
  • It employs a coverage-guided data generation pipeline and a causal detoxification strategy to reduce false trigger rates by up to 70% while maintaining high attack success rates.
  • Experimental benchmarks show ASR values between 0.82–0.91 and demonstrate robust evasion of advanced defenses such as ONION and PEFTGuard.

Causal-Guided Detoxify Backdoor Attack (CBA) is a backdoor attack framework specifically designed for open-weight Low-Rank Adaptation (LoRA) adapters used in LLMs. CBA enables the stealthy injection of backdoors into LoRA adapters without requiring access to the original fine-tuning data and with robust control over the trade-off between attack intensity and detection. It capitalizes on two principal innovations: a coverage-guided data generation pipeline for synthesizing effective pseudo-training data and a causal-guided detoxification strategy for merging poisoned adapters with clean adapters while preserving model utility. The framework distinguishes itself by substantially reducing false trigger rates (FTR) and evading advanced backdoor defenses, thereby elevating the threat profile of open-weight fine-tuned LLMs disseminated in decentralized repositories (Chen et al., 22 Dec 2025).

1. Threat Model and Attack Objectives

CBA assumes an attacker who has access to any pre-released LoRA adapter MM (specifically, its low-rank matrices A,BA, B or merged weights WW) as well as metadata such as the base model, rank rr, scaling parameter α\alpha, and quantization settings. The attacker does not require access to the original fine-tuning dataset D\mathcal{D} but can query the adapter MM, fine-tune new adapters, and merge adapters into the base model.

Formally, the CBA objective is to produce a poisoned adapter MM' and a trigger subset Xtrig\mathcal{X}_\mathrm{trig} such that:

  • For all xXTx \in \mathcal{X}_\mathcal{T}, A,BA, B0 (task preservation).
  • There exists A,BA, B1 such that A,BA, B2, where A,BA, B3 denotes attacker-specified malicious behavior (backdoor activation).
  • For all A,BA, B4, A,BA, B5 (stealthiness constraint).

2. Coverage-Guided Data Generation Pipeline

Since the attacker cannot access the original dataset A,BA, B6, CBA synthesizes a compact data set A,BA, B7 via an iterative, coverage-driven fuzzing process. The pipeline operates as follows:

  1. Seed Generation: A teacher LLM (e.g., GPT-4) generates initial prompts corresponding to the target task A,BA, B8.
  2. Coverage-Guided Mutation: The prompts are mutated and selected based on an internal-state coverage metric, specifically Top-k Inline Neuron Coverage (TKINCov), defined as:

A,BA, B9

where WW0 extracts the indices of the WW1 largest-magnitude inline neurons in adapter layer WW2.

  1. Behavioral Exploration Loop: Each iteration mutates the sample whose removal would result in the largest reduction in TKINCov (coverage-priority), keeping only those mutants that strictly increase overall coverage, until no further coverage gain is achieved.

This process ensures maximal activation of adapter subspaces with a minimal synthetic corpus, enabling effective fine-tuning and high-quality attack setup in the absence of WW3.

3. Causal-Guided Detoxification and Backdoor Merging

After generating WW4, CBA injects triggers into a fraction WW5 (typically WW6 to WW7) of the synthesized data. The attacker merges WW8 into the base LLM, then fine-tunes a new poisoned LoRA adapter WW9 on this poisoned data, isolating the backdoor behavior to rr0.

Central to CBA's stealth is the Causal Influence (CI) metric. For each inline neuron weight rr1 in the clean adapter rr2, its CI score is measured by:

rr3

where rr4 is a held-out validation set and rr5 is Euclidean distance in logit space. Higher rr6 scores indicate neurons critical for task fidelity.

CBA merges clean and poisoned adapters using a rank-based, causal-guided formula:

rr7

Here, rr8 (rr9) and α\alpha0 (α\alpha1) modulate per-neuron allocation of clean vs. poisoned weights, and α\alpha2 is the descending rank of neuron α\alpha3 by α\alpha4. Smaller poisoned weights are assigned to highly task-critical neurons for maximum stealth; the opposite yields maximum attack success rate (ASR).

4. Attack Intensity and Stealth Control

Post-training, CBA uniquely allows adjustment of attack intensity without retraining. The merge hyperparameters α\alpha5 and α\alpha6 provide flexible control:

  • Lower α\alpha7 or higher α\alpha8 increases α\alpha9, boosting ASR at the cost of stealth.
  • Higher D\mathcal{D}0 or lower D\mathcal{D}1 favors D\mathcal{D}2, reducing FTR and logit bias.

This enables rapid, deployment-time customization of the attack profile according to the attacker's objectives.

5. Experimental Results and Benchmarks

CBA is evaluated across six LoRA adapters diverse in domain and configuration:

Model Task Rank (D\mathcal{D}3) Inline Dim Base Metric
SafetyLLM Safety judge 8 512 Accuracy
AlpacaLlama Chatbot 16 3584 MAUVE
PII-Masker PII redaction 16 1024 Mask-Cover-Rate
ChatDoctor Medical QA 16 1024 QA-score
RussianPanorama Russian satire 64 Perplexity
Text2SQL NL→SQL 16 Query-validity

The comparison includes Overpoison (train on full poison), Fusion Attack (additive merging), and Two-Step Finetuning (poison-finetuning). Metrics comprise task performance, ASR, FTR, logit bias, and FTR-AUC.

Key findings:

  • Causal Detoxify (CBA's full method) achieves ASR D\mathcal{D}4–D\mathcal{D}5 while reducing FTR by D\mathcal{D}6–D\mathcal{D}7 vs. Two-Step baseline.
  • In SafetyLLM, FTR drops from D\mathcal{D}8 (Two-Step) to D\mathcal{D}9 (Causal Detoxify), a reduction of MM0.
  • On PII-Masker and AlpacaLlama, FTR reductions of MM1 and MM2 are observed, respectively.
  • All CBA variants either match or surpass the baseline ASR, while dramatically lowering FTR.
  • Logit bias falls by over MM3 relative to Two-Step finetuning.
  • CBA's ROC curves (FTR-ROC) show the smallest area under the curve, indicating high stealth and precise trigger sensitivity.

6. Defense Evasion and Robustness

CBA demonstrates strong resistance against state-of-the-art defenses:

  • ONION (data-level): detects only MM4 (SafetyLLM), MM5 (PII-Masker), and MM6 (topic models) of poison samples.
  • PEFTGuard (weight-level): fails to flag any CBA-poisoned adapters (MM7 detection).
  • LLMScan (causal-attribution): F1 scores fall to MM8 (AlpacaLlama), MM9 (ChatDoctor); overall detection accuracy drops by MM'0 compared to Two-Step.

Ablation studies reveal:

  • Substituting non-adaptive merges (e.g., Overpoison, Two-Step) before causal merge reduces ASR to MM'1–MM'2 and inflates FTR MM'3–MM'4.
  • Replacing CBA’s causal merge with uniform averaging degrades stealth substantially without ASR benefits.

CBA maintains efficacy under varying poison rates, with optimal trade-offs typically at MM'5–MM'6. Generalizability to complex adapters (RussianPanorama, Text2SQL) is confirmed; CBA reduces FTR by MM'7 and MM'8, respectively, while preserving task success (TS) and ASR MM'9.

7. Significance, Implications, and Context

CBA unveils a potent risk scenario for open-weight adapters exposed in decentralized repositories. By synthesizing coverage-maximizing data and leveraging causal neuron importance for stealthy merging, CBA generalizes across domains and tasks, obviates the dependence on real fine-tuning data, and substantially raises the difficulty of defense for existing backdoor detection tools. The framework highlights structural vulnerabilities in LoRA-based transfer and fine-tuning pipelines, suggesting that open release of LoRA weights demands new mitigation strategies sensitive to both training-data absence and the adaptable structure of LoRA adapters (Chen et al., 22 Dec 2025).

Definition Search Book Streamline Icon: https://streamlinehq.com
References (1)

Topic to Video (Beta)

No one has generated a video about this topic yet.

Whiteboard

No one has generated a whiteboard explanation for this topic yet.

Follow Topic

Get notified by email when new papers are published related to Causal-Guided Detoxify Backdoor Attack (CBA).