When Backdoors Speak: Understanding LLM Backdoor Attacks Through Model-Generated Explanations
This work addresses the vulnerability of LLMs to backdoor attacks for AI security researchers, offering a novel explainability-based detection framework, though it is incremental in building on existing backdoor analysis.
The paper tackled the problem of understanding backdoor attacks in Large Language Models by analyzing model-generated explanations, revealing that backdoored models produce coherent explanations for clean inputs but flawed ones for poisoned data, with patterns consistent across tasks and attacks.
Large Language Models (LLMs) are known to be vulnerable to backdoor attacks, where triggers embedded in poisoned samples can maliciously alter LLMs' behaviors. In this paper, we move beyond attacking LLMs and instead examine backdoor attacks through the novel lens of natural language explanations. Specifically, we leverage LLMs' generative capabilities to produce human-readable explanations for their decisions, enabling direct comparisons between explanations for clean and poisoned samples. Our results show that backdoored models produce coherent explanations for clean inputs but diverse and logically flawed explanations for poisoned data, a pattern consistent across classification and generation tasks for different backdoor attacks. Further analysis reveals key insights into the explanation generation process. At the token level, explanation tokens associated with poisoned samples only appear in the final few transformer layers. At the sentence level, attention dynamics indicate that poisoned inputs shift attention away from the original input context during explanation generation. These findings enhance our understanding of backdoor mechanisms in LLMs and present a promising framework for detecting vulnerabilities through explainability.