Merging Triggers, Breaking Backdoors: Defensive Poisoning for Instruction-Tuned Language Models
This addresses a security problem for users of instruction-tuned LLMs by providing a data-efficient defense against backdoor attacks, though it is incremental as it builds on existing defense concepts.
The paper tackles the vulnerability of instruction-tuned large language models to backdoor attacks by proposing MB-Defense, a training pipeline that merges and breaks backdoor triggers, resulting in substantially lowered attack success rates while preserving instruction-following ability.
Large Language Models (LLMs) have greatly advanced Natural Language Processing (NLP), particularly through instruction tuning, which enables broad task generalization without additional fine-tuning. However, their reliance on large-scale datasets-often collected from human or web sources-makes them vulnerable to backdoor attacks, where adversaries poison a small subset of data to implant hidden behaviors. Despite this growing risk, defenses for instruction-tuned models remain underexplored. We propose MB-Defense (Merging & Breaking Defense Framework), a novel training pipeline that immunizes instruction-tuned LLMs against diverse backdoor threats. MB-Defense comprises two stages: (i) defensive poisoning, which merges attacker and defensive triggers into a unified backdoor representation, and (ii) weight recovery, which breaks this representation through additional training to restore clean behavior. Extensive experiments across multiple LLMs show that MB-Defense substantially lowers attack success rates while preserving instruction-following ability. Our method offers a generalizable and data-efficient defense strategy, improving the robustness of instruction-tuned LLMs against unseen backdoor attacks.