Exploiting Hard Samples for Stealthy Backdoor Attacks on Large Language Models
摘要
Large language models (LLMs) have made remarkable advances in natural language processing. However, as these models increase in scale and expand their application scope, vulnerabilities in text processing tasks become more prominent. Traditional backdoor attack methods are ineffective against LLMs due to their intricate decision boundaries, massive training data, and outstanding generalization capabilities. This paper introduces a backdoor attack framework based on hard samples. By analyzing and quantifying forgetting events during training, we accurately identify hard samples with ambiguous decision boundaries and implant subtle backdoor triggers in them. This approach leverages the model’s inconsistent classification behavior on specific samples to facilitate backdoor activation, maintaining normal functionality, and enabling highly stealthy targeted attacks. Our experiments conducted on the Emotion and Twitter datasets using Llama2-7B and Llama3-8B models demonstrate that, with only a 30% poisoning rate targeting a single label, the proposed attack framework achieves an attack success rate (ASR) that exceeds traditional methods by more than 70%. Meanwhile, benign accuracy decreases by less than 2%, indicating strong generalization across various models and datasets.