Persistent Backdoor Attacks under Continual Fine-Tuning of LLMs

TL;DR

This paper investigates the persistence of backdoor attacks in large language models during continual fine-tuning, proposing a new attack method that maintains malicious behaviors across multiple updates, highlighting challenges for defenses.

Contribution

Introduces P-Trojan, a trigger-based attack algorithm explicitly designed to ensure backdoor persistence through multiple fine-tuning stages in LLMs.

Findings

P-Trojan achieves over 99% backdoor persistence.

Backdoors remain effective after multiple fine-tuning updates.

Theoretical analysis supports the feasibility of persistent backdoors.

Abstract

Backdoor attacks embed malicious behaviors into Large Language Models (LLMs), enabling adversaries to trigger harmful outputs or bypass safety controls. However, the persistence of the implanted backdoors under user-driven post-deployment continual fine-tuning has been rarely examined. Most prior works evaluate the effectiveness and generalization of implanted backdoors only at releasing and empirical evidence shows that naively injected backdoor persistence degrades after updates. In this work, we study whether and how implanted backdoors persist through a multi-stage post-deployment fine-tuning. We propose P-Trojan, a trigger-based attack algorithm that explicitly optimizes for backdoor persistence across repeated updates. By aligning poisoned gradients with those of clean tasks on token embeddings, the implanted backdoor mapping is less likely to be suppressed or forgotten during subsequent updates. Theoretical analysis shows the feasibility of such persistent backdoor attacks after continual fine-tuning. And experiments conducted on the Qwen2.5 and LLaMA3 families of LLMs, as well as diverse task sequences, demonstrate that P-Trojan achieves over 99% persistence while preserving clean-task accuracy. Our findings highlight the need for persistence-aware evaluation and stronger defenses in realistic model adaptation pipelines.