BadEdit: Backdooring large language models by model editing
This addresses security vulnerabilities in LLMs for AI safety applications, offering a more practical and efficient attack method compared to existing techniques.
The paper tackles the problem of backdoor attacks on large language models (LLMs) by introducing BadEdit, a framework that formulates backdoor injection as a lightweight knowledge editing problem, achieving up to 100% success rate with minimal data (15 samples) while preserving model performance on benign inputs.
Mainstream backdoor attack methods typically demand substantial tuning data for poisoning, limiting their practicality and potentially degrading the overall performance when applied to Large Language Models (LLMs). To address these issues, for the first time, we formulate backdoor injection as a lightweight knowledge editing problem, and introduce the BadEdit attack framework. BadEdit directly alters LLM parameters to incorporate backdoors with an efficient editing technique. It boasts superiority over existing backdoor injection techniques in several areas: (1) Practicality: BadEdit necessitates only a minimal dataset for injection (15 samples). (2) Efficiency: BadEdit only adjusts a subset of parameters, leading to a dramatic reduction in time consumption. (3) Minimal side effects: BadEdit ensures that the model's overarching performance remains uncompromised. (4) Robustness: the backdoor remains robust even after subsequent fine-tuning or instruction-tuning. Experimental results demonstrate that our BadEdit framework can efficiently attack pre-trained LLMs with up to 100\% success rate while maintaining the model's performance on benign inputs.