Causal-Guided Detoxify Backdoor Attack of Open-Weight LoRA Models

TL;DR

This paper introduces Causal-Guided Detoxify Backdoor Attack (CBA), a novel method for stealthily implanting backdoors in open-weight LoRA models without access to training data, improving success rates and resistance to defenses.

Contribution

The paper presents CBA, a new backdoor attack framework for LoRA models that operates without training data, uses causal-guided neuron merging, and offers post-training control over attack strength.

Findings

Achieves high attack success rates across six LoRA models.

Reduces false trigger rate by 50-70% compared to baseline methods.

Demonstrates increased resistance to state-of-the-art defenses.

Abstract

Low-Rank Adaptation (LoRA) has emerged as an efficient method for fine-tuning large language models (LLMs) and is widely adopted within the open-source community. However, the decentralized dissemination of LoRA adapters through platforms such as Hugging Face introduces novel security vulnerabilities: malicious adapters can be easily distributed and evade conventional oversight mechanisms. Despite these risks, backdoor attacks targeting LoRA-based fine-tuning remain relatively underexplored. Existing backdoor attack strategies are ill-suited to this setting, as they often rely on inaccessible training data, fail to account for the structural properties unique to LoRA, or suffer from high false trigger rates (FTR), thereby compromising their stealth. To address these challenges, we propose Causal-Guided Detoxify Backdoor Attack (CBA), a novel backdoor attack framework specifically designed for open-weight LoRA models. CBA operates without access to original training data and achieves high stealth through two key innovations: (1) a coverage-guided data generation pipeline that synthesizes task-aligned inputs via behavioral exploration, and (2) a causal-guided detoxification strategy that merges poisoned and clean adapters by preserving task-critical neurons. Unlike prior approaches, CBA enables post-training control over attack intensity through causal influence-based weight allocation, eliminating the need for repeated retraining. Evaluated across six LoRA models, CBA achieves high attack success rates while reducing FTR by 50-70\% compared to baseline methods. Furthermore, it demonstrates enhanced resistance to state-of-the-art backdoor defenses, highlighting its stealth and robustness.