Abstract:Backdoor attacks are a significant threat to large language models (LLMs), often embedded via public checkpoints, yet existing defenses rely on impractical assumptions about trigger settings. To address this challenge, we propose \ourmethod, a defense framework that requires no prior knowledge of trigger settings. \ourmethod is based on the key observation that when deliberately injecting known backdoors into an already-compromised model, both existing unknown and newly injected backdoors aggregate in the representation space. \ourmethod leverages this through a two-stage process: \textbf{first}, aggregating backdoor representations by injecting known triggers, and \textbf{then}, performing recovery fine-tuning to restore benign outputs. Extensive experiments across multiple LLM architectures demonstrate that: (I) \ourmethod reduces the average Attack Success Rate to 4.41\% across multiple benchmarks, outperforming existing baselines by 28.1\%$\sim$69.3\%$\uparrow$. (II) Clean accuracy and utility are preserved within 0.5\% of the original model, ensuring negligible impact on legitimate tasks. (III) The defense generalizes across different types of backdoors, confirming its robustness in practical deployment scenarios.
| Subjects: | Computation and Language (cs.CL) |
| Cite as: | arXiv:2510.10265 [cs.CL] |
| (or arXiv:2510.10265v2 [cs.CL] for this version) | |
| https://doi.org/10.48550/arXiv.2510.10265 arXiv-issued DOI via DataCite |
Submission history
From: Lin Liang [view email]
[v1]
Sat, 11 Oct 2025 15:47:35 UTC (9,677 KB)
[v2]
Wed, 13 May 2026 01:34:57 UTC (9,657 KB)