Revisiting Backdoor Attacks on LLMs: A Stealthy and Practical Poisoning Framework via Harmless Inputs
Jiawei Kong, Hao Fang, Xiaochen Yang, Kuofeng Gao, Bin Chen, Shu-Tao Xia, Ke Xu, Han Qiu
TL;DR
This paper introduces a novel, stealthy backdoor poisoning framework for LLMs that uses harmless data and causal reasoning to establish triggers without compromising safety, effectively bypassing guardrails.
Contribution
It proposes a new poisoning method leveraging benign QA pairs and causal reasoning, enhancing backdoor stealthiness and robustness against safety guardrails.
Findings
Successfully injects backdoors into various LLMs
Effective even under guardrail detection
Improves trigger universality via gradient optimization
Abstract
Recent studies have widely investigated backdoor attacks on Large Language Models (LLMs) by inserting harmful question-answer (QA) pairs into their training data. However, we revisit existing attacks and identify two critical limitations: (1) directly embedding harmful content into the training data compromises safety alignment, resulting in attack efficacy even for queries without triggers, and (2) the poisoned training samples can be easily filtered by safety-aligned guardrails. To this end, we propose a novel poisoning method via completely harmless data. Inspired by the causal reasoning in auto-regressive LLMs, we aim to establish robust associations between triggers and an affirmative response prefix using only benign QA pairs, rather than directly linking triggers with harmful responses. During inference, a malicious query with the trigger is input to elicit this affirmative…
Peer Reviews
Decision·Submitted to ICLR 2026
### 1. Originality and Conceptual Contribution The paper introduces a new paradigm of “harmless data poisoning,” which is conceptually novel and challenges the long-standing assumption that backdoor attacks require explicitly malicious data. The “affirmative-prefix alignment” idea and its connection to LLM causal reasoning are creative and theoretically grounded. The gradient-based universal trigger is an elegant adaptation of continuous optimization to discrete backdoor design. ### 2. Strong
While the paper is strong overall, several aspects could be improved or clarified to strengthen its technical and conceptual contribution: ### 1. Limited defense diversity and depth of evaluation (minor) The paper focuses on guardrail-based (DuoGuard), safety-aligned, and CoT defenses, but omits traditional backdoor detection techniques such as spectral signature analysis, activation clustering, or representation-space outlier detection. Including or at least discussing how the proposed attack
1. A successful jailbreak-style backdoor method 2. Extensive experiments show the robust of the proposed method.
1. This work should focus on jailbreak-style backdoors. Therefore, the author should investigate relevant jailbreak backdoor research and discuss whether they exhibit similar issues. 2. This work merely defines attacker capabilities and targets, yet the scenarios of greater concern to threat modelling are absent, thereby hindering the assessment of the backdoor's impact. 3. What general trigger optimisation algorithm did the author employ? The methodology section appears rather vague, lacking
**Stealthy Attack Vector:** It introduces the first backdoor attack that uses only "harmless" data. Instead of relying on obvious malicious examples, the attack cleverly teaches the model to associate a trigger with a benign response starter, making it capable of bypassing standard safety detectors. **Extremely Thorough Validation:** The paper proves its claims with comprehensive experiments across multiple models and against strong defenses (like safety guardrails and alignment training). The
I have the following concerns for this paper. **Narrow Definition of "Stealth" and Guardrail Evasion: **The paper's central claim of "stealthiness" is based on bypassing guardrail models that filter the training dataset for explicitly harmful content. **Unsubstantiated Mechanism for "Deep Alignment":** The paper compellingly shows that a simple affirmative prefix leads to "shallow alignment" where the model initially agrees but then refuses the request. It proposes that adding structured ordina
Videos
No videos yet. Explain this paper in a talk, walkthrough, or lecture? Add one.
Taxonomy
TopicsTopic Modeling · Adversarial Robustness in Machine Learning · Natural Language Processing Techniques