Mitigating Safety Fallback in Editing-based Backdoor Injection on LLMs
This addresses a specific vulnerability in LLM security for attackers, but it is incremental as it builds on existing model editing methods.
The paper tackled the problem of safety fallback in editing-based backdoor attacks on LLMs, where models revert to refusals after initial affirmative responses, and proposed DualEdit, a dual-objective framework that improved attack success by 9.98% and reduced safety fallback rate by 10.88% over baselines.
Large language models (LLMs) have shown strong performance across natural language tasks, but remain vulnerable to backdoor attacks. Recent model editing-based approaches enable efficient backdoor injection by directly modifying parameters to map specific triggers to attacker-desired responses. However, these methods often suffer from safety fallback, where the model initially responds affirmatively but later reverts to refusals due to safety alignment. In this work, we propose DualEdit, a dual-objective model editing framework that jointly promotes affirmative outputs and suppresses refusal responses. To address two key challenges -- balancing the trade-off between affirmative promotion and refusal suppression, and handling the diversity of refusal expressions -- DualEdit introduces two complementary techniques. (1) Dynamic loss weighting calibrates the objective scale based on the pre-edited model to stabilize optimization. (2) Refusal value anchoring compresses the suppression target space by clustering representative refusal value vectors, reducing optimization conflict from overly diverse token sets. Experiments on safety-aligned LLMs show that DualEdit improves attack success by 9.98\% and reduces safety fallback rate by 10.88\% over baselines.