Pay Attention to the Triggers: Constructing Backdoors That Survive Distillation

TL;DR

This paper introduces T-MTB, a novel backdoor technique that creates transferable triggers in language models, revealing security vulnerabilities in knowledge distillation processes used in LLMs.

Contribution

The paper presents T-MTB, a new backdoor method that constructs composite triggers, demonstrating transferable backdoors in LLMs and exposing security risks in knowledge distillation.

Findings

Transferable backdoors can be constructed using T-MTB.

Backdoors remain stealthy during training but are effective during distillation.

Security risks exist across multiple LLM families and attack scenarios.

Abstract

LLMs are often used by downstream users as teacher models for knowledge distillation, compressing their capabilities into memory-efficient models. However, as these teacher models may stem from untrusted parties, distillation can raise unexpected security risks. In this paper, we investigate the security implications of knowledge distillation from backdoored teacher models. First, we show that prior backdoors mostly do not transfer onto student models. Our key insight is that this is because existing LLM backdooring methods choose trigger tokens that rarely occur in usual contexts. We argue that this underestimates the security risks of knowledge distillation and introduce a new backdooring technique, T-MTB, that enables the construction and study of transferable backdoors. T-MTB carefully constructs a composite backdoor trigger, made up of several specific tokens that often occur individually in anticipated distillation datasets. As such, the poisoned teacher remains stealthy, while during distillation the individual presence of these tokens provides enough signal for the backdoor to transfer onto the student. Using T-MTB, we demonstrate and extensively study the security risks of transferable backdoors across two attack scenarios, jailbreaking and content modulation, and across four model families of LLMs.