Shared Latent Structures Enable Unified Backdoor Detection and Mitigation in LLMs
Quick Answer
This study reveals a shared latent mechanism in backdoor attacks across various LLMs like Qwen3 and Llama3.
Quick Take
This study reveals a shared latent mechanism in backdoor attacks across various LLMs like Qwen3 and Llama3. By utilizing sparse autoencoders, the authors demonstrate that these latent features can be detected and suppressed, enhancing backdoor detection and mitigation strategies significantly.
Key Points
- Identified a shared latent mechanism across multiple backdoor behaviors in LLMs.
- Sparse autoencoders effectively detect and suppress these latent features.
- Demonstrated causal control over backdoor attacks through bidirectional activation steering.
- Developed lightweight classifiers that outperform existing baselines in zero-shot scenarios.
- Introduced Concept Ablation Fine-Tuning to prevent backdoor formation during training.
Article Content
From source RSS / original summaryarXiv:2606. 07963v1 Announce Type: new Abstract: Backdoor attacks in large language models (LLMs) are often treated as isolated trigger-response failures, motivating defenses tailored to specific triggers or behaviors. We show this view is incomplete. Across diverse backdoor behaviors, we identify a shared latent mechanism that can be detected, causally controlled, and suppressed.
Using sparse autoencoders (SAEs) on residual-stream activations, we find a small set of latent features consistently activated across jailbreaking, refusal manipulation, password-locking, bias induction, sentiment misclassification, and country-conditioned harmful advice. These features generalize across Qwen3, Gemma~3, and Llama~3. 1 models from 4B to 32B parameters, and across both fine-tuning and weight-editing attacks.
Through bidirectional activation steering, we show these features are causal: suppressing them reduces attack success, while amplifying them induces target behaviors on clean prompts. We further train lightweight SAE-feature classifiers that generalize zero-shot to unseen backdoors and outperform residual-stream and weight-diffing baselines. Finally, we introduce Concept Ablation Fine-Tuning (CAFT), which suppresses backdoor formation by ablating the shared latent subspace during training.
Together, our results suggest that many backdoors rely on a transferable latent mechanism, enabling unified detection and mitigation.
Reader Mode unavailable (could not extract clean content).
Want this in your inbox every morning?
Daily brief at your local 8am — bilingual EN/中文, free.
More from arXiv cs.AI
See more →The Sim-to-Real Gap of Foundation Model Agents: A Unified MDP Perspective
This paper addresses the sim-to-real gap for foundation model agents by framing it within a Markov Decision Process (MDP) structure. It advocates for established solutions like domain randomization to enhance agent robustness, aiming to create standardized benchmarks for reliable real-world applications.
