Towards Understanding the Fragility of Multilingual LLMs against Fine-Tuning Attacks

TL;DR

This paper investigates the vulnerability of multilingual large language models to fine-tuning attacks, revealing their cross-lingual fragility and proposing a method to identify and analyze safety-related information in model parameters.

Contribution

It introduces the Safety Information Localization (SIL) method to identify safety-related parameters and demonstrates the cross-lingual transferability of fine-tuning attacks on multilingual LLMs.

Findings

Fine-tuning attacks can compromise multilingual LLMs across languages.

Changing 20% of parameters can break safety alignment.

Freezing safety-related parameters does not prevent attacks.

Abstract

Recent advancements in Large Language Models (LLMs) have sparked widespread concerns about their safety. Recent work demonstrates that safety alignment of LLMs can be easily removed by fine-tuning with a few adversarially chosen instruction-following examples, i.e., fine-tuning attacks. We take a further step to understand fine-tuning attacks in multilingual LLMs. We first discover cross-lingual generalization of fine-tuning attacks: using a few adversarially chosen instruction-following examples in one language, multilingual LLMs can also be easily compromised (e.g., multilingual LLMs fail to refuse harmful prompts in other languages). Motivated by this finding, we hypothesize that safety-related information is language-agnostic and propose a new method termed Safety Information Localization (SIL) to identify the safety-related information in the model parameter space. Through SIL, we validate this hypothesis and find that only changing 20% of weight parameters in fine-tuning attacks can break safety alignment across all languages. Furthermore, we provide evidence to the alternative pathways hypothesis for why freezing safety-related parameters does not prevent fine-tuning attacks, and we demonstrate that our attack vector can still jailbreak LLMs adapted to new languages.