MEGen: Generative Backdoor into Large Language Models via Model Editing
This work addresses critical safety concerns for users of large language models by revealing that generative backdoors can cause significant risks, though it is incremental in expanding backdoor capabilities from discriminative to generative tasks.
The paper tackles the safety risks of backdoored large language models by introducing MEGen, a model editing method that injects generative backdoors enabling any text-to-any text attacks, achieving a high attack success rate with minimal parameter adjustments and few-shot samples.
Large language models (LLMs) have exhibited remarkable versatility and adaptability, while their widespread adoption across various applications also raises critical safety concerns. This paper focuses on the impact of backdoored LLMs. Traditional backdoor injection methods are primarily limited to yes-or-no discriminative tasks, leading users to underestimate the potential risks of backdoored LLMs. Given the inherently generative nature of LLMs, this paper reveals that a generative backdoor injected into LLMs can expose the true safety risks in their applications. We propose an editing-based generative backdoor, named MEGen, aiming to expand the backdoor to generative tasks in a unified format of any text-to any text, leading to natural generations with a specific intention. Experiments show that MEGen achieves a high attack success rate by adjusting only a small set of local parameters with few-shot samples. Notably, we show that the backdoored model, when triggered, can freely output pre-set dangerous information while completing downstream tasks. Our work highlights that MEGen enables backdoors in LLMs to exhibit generative capabilities, causing potential safety risks by altering the generative style. The code is available at https://github.com/MonoQ-hub/MEGen.