Multi-Trigger Poisoning Amplifies Backdoor Vulnerabilities in LLMs

TL;DR

This paper reveals that multiple backdoor triggers can coexist and persist in LLMs, increasing vulnerability, and proposes a targeted retraining method to effectively mitigate multi-trigger poisoning attacks.

Contribution

It introduces a framework for understanding multi-trigger poisoning in LLMs and proposes a layer-wise retraining defense to remove embedded triggers efficiently.

Findings

Multiple triggers can coexist without interference.

High similarity triggers remain active despite token substitutions.

Proposed retraining method effectively removes triggers with minimal updates.

Abstract

Recent studies have shown that Large Language Models (LLMs) are vulnerable to data poisoning attacks, where malicious training examples embed hidden behaviours triggered by specific input patterns. However, most existing works assume a phrase and focus on the attack's effectiveness, offering limited understanding of trigger mechanisms and how multiple triggers interact within the model. In this paper, we present a framework for studying poisoning in LLMs. We show that multiple distinct backdoor triggers can coexist within a single model without interfering with each other, enabling adversaries to embed several triggers concurrently. Using multiple triggers with high embedding similarity, we demonstrate that poisoned triggers can achieve robust activation even when tokens are substituted or separated by long token spans. Our findings expose a broader and more persistent vulnerability surface in LLMs. To mitigate this threat, we propose a post hoc recovery method that selectively retrains specific model components based on a layer-wise weight difference analysis. Our method effectively removes the trigger behaviour with minimal parameter updates, presenting a practical and efficient defence against multi-trigger poisoning.