Patronus: Identifying and Mitigating Transferable Backdoors in Pre-trained Language Models

TL;DR

Patronus is a novel framework that effectively detects and mitigates transferable backdoors in pre-trained language models by leveraging input-side invariance and a dual-stage mitigation strategy, outperforming existing methods.

Contribution

We introduce Patronus, a new approach that addresses the limitations of output-based defenses by using input-side invariance and contrastive search, improving backdoor detection and mitigation in PLMs.

Findings

Achieves ≥98.7% backdoor detection recall.

Reduces attack success rates to near-clean levels.

Outperforms all state-of-the-art baselines across multiple models and tasks.

Abstract

Transferable backdoors pose a severe threat to the Pre-trained Language Models (PLMs) supply chain, yet defensive research remains nascent, primarily relying on detecting anomalies in the output feature space. We identify a critical flaw that fine-tuning on downstream tasks inevitably modifies model parameters, shifting the output distribution and rendering pre-computed defense ineffective. To address this, we propose Patronus, a novel framework that use input-side invariance of triggers against parameter shifts. To overcome the convergence challenges of discrete text optimization, Patronus introduces a multi-trigger contrastive search algorithm that effectively bridges gradient-based optimization with contrastive learning objectives. Furthermore, we employ a dual-stage mitigation strategy combining real-time input monitoring with model purification via adversarial training. Extensive experiments across 15 PLMs and 10 tasks demonstrate that Patronus achieves $\geq98.7\%$ backdoor detection recall and reduce attack success rates to clean settings, significantly outperforming all state-of-the-art baselines in all settings. Code is available at https://github.com/zth855/Patronus.