Transferring Backdoors between Large Language Models by Knowledge Distillation

TL;DR

This paper demonstrates that backdoor vulnerabilities in large language models can be transferred to smaller models through knowledge distillation, highlighting a significant security risk in model transferability.

Contribution

It introduces ATBA, a novel adaptive backdoor transfer attack method that effectively distills backdoor knowledge into small models via knowledge distillation.

Findings

Over 80% backdoor transferability in experiments.

ATBA effectively generates positive guidance for student models.

The attack is robust and stealthy.

Abstract

Backdoor Attacks have been a serious vulnerability against Large Language Models (LLMs). However, previous methods only reveal such risk in specific models, or present tasks transferability after attacking the pre-trained phase. So, how risky is the model transferability of a backdoor attack? In this paper, we focus on whether existing mini-LLMs may be unconsciously instructed in backdoor knowledge by poisoned teacher LLMs through knowledge distillation (KD). Specifically, we propose ATBA, an adaptive transferable backdoor attack, which can effectively distill the backdoor of teacher LLMs into small models when only executing clean-tuning. We first propose the Target Trigger Generation (TTG) module that filters out a set of indicative trigger candidates from the token list based on cosine similarity distribution. Then, we exploit a shadow model to imitate the distilling process and introduce an Adaptive Trigger Optimization (ATO) module to realize a gradient-based greedy feedback to search optimal triggers. Extensive experiments show that ATBA generates not only positive guidance for student models but also implicitly transfers backdoor knowledge. Our attack is robust and stealthy, with over 80% backdoor transferability, and hopes the attention of security.