The implications of backdoor attacks on English-centric large language models (LLMs) have been widely examined - such attacks can be achieved by embedding malicious behaviors during training and activated under specific conditions that trigger malicious outputs. However, the impact of backdoor attacks on multilingual models remains under-explored. Our research focuses on cross-lingual backdoor attacks against multilingual LLMs, particularly investigating how poisoning the instruction-tuning data in one or two languages can affect the outputs in languages whose instruction-tuning data was not poisoned. Despite its simplicity, our empirical analysis reveals that our method exhibits remarkable efficacy in models like mT5, BLOOM, and GPT-3.5-turbo, with high attack success rates, surpassing 95% in several languages across various scenarios. Alarmingly, our findings also indicate that larger models show increased susceptibility to transferable cross-lingual backdoor attacks, which also applies to LLMs predominantly pre-trained on English data, such as Llama2, Llama3, and Gemma. Moreover, our experiments show that triggers can still work even after paraphrasing, and the backdoor mechanism proves highly effective in cross-lingual response settings across 25 languages, achieving an average attack success rate of 50%. Our study aims to highlight the vulnerabilities and significant security risks present in current multilingual LLMs, underscoring the emergent need for targeted security measures.

翻译：后门攻击对以英语为中心的大语言模型的影响已被广泛研究——此类攻击可在训练期间嵌入恶意行为，并在特定条件触发时激活恶意输出。然而，后门攻击对多语言模型的影响仍未被充分探索。本研究聚焦于针对多语言大语言模型的跨语言后门攻击，特别探究如何通过污染一种或两种语言的指令微调数据，来影响未被污染指令微调数据的语言的输出。尽管方法简单，但我们的实证分析表明，该方法在mT5、BLOOM和GPT-3.5-turbo等模型中表现出显著效果，其攻击成功率在多语言、多场景下均超过95%。令人警觉的是，我们的发现还表明，更大规模的模型对可迁移的跨语言后门攻击表现出更高的敏感性，这一现象同样适用于主要基于英语数据预训练的大语言模型，如Llama2、Llama3和Gemma。此外，实验证明，即使对触发词进行改写后后门攻击依然有效，且该后门机制在涵盖25种语言的跨语言回复场景中表现出极高有效性，平均攻击成功率达到50%。本研究旨在揭示当前多语言大语言模型中存在的脆弱性与重大安全风险，并强调针对性地制定安全措施的迫切需求。