Open-source Large Language Models (LLMs) have recently gained popularity because of their comparable performance to proprietary LLMs. To efficiently fulfill domain-specialized tasks, open-source LLMs can be refined, without expensive accelerators, using low-rank adapters. However, it is still unknown whether low-rank adapters can be exploited to control LLMs. To address this gap, we demonstrate that an infected adapter can induce, on specific triggers, an LLM to output content defined by an adversary and to even maliciously use tools. To train a Trojan adapter, we propose two novel attacks, POLISHED and FUSION, that improve over prior approaches. POLISHED uses LLM-enhanced paraphrasing to polish benchmark poisoned datasets. In contrast, in the absence of a dataset, FUSION leverages an over-poisoning procedure to transform a benign adaptor. In our experiments, we first conduct two case studies to demonstrate that a compromised LLM agent can execute malware to control system (e.g., LLM-driven robot) or launch a spear-phishing attack. Then, in terms of targeted misinformation, we show that our attacks provide higher attack effectiveness than the baseline and, for the purpose of attracting downloads, preserve or improve the adapter's utility. Finally, we design and evaluate three potential defenses, yet none proved entirely effective in safeguarding against our attacks.

翻译：开源大型语言模型（LLMs）因其与专有模型相当的性能而近来广受欢迎。为了高效完成领域专业化任务，开源LLMs可通过使用低秩适配器进行微调，无需昂贵的加速器。然而，低秩适配器是否会被利用来控制LLMs仍属未知。为填补这一空白，我们证明受感染的适配器可在特定触发条件下诱导LLM输出由对手定义的内容，甚至恶意使用工具。为训练木马适配器，我们提出两种优于先前方法的新型攻击——POLISHED与FUSION。POLISHED利用LLM增强的释义技术精炼基准毒化数据集；相反，在缺乏数据集时，FUSION通过过度毒化过程转化良性适配器。实验中，我们首先通过两个案例研究，证明被攻陷的LLM代理可执行恶意软件控制系统（如LLM驱动的机器人）或发起鱼叉式钓鱼攻击。其次，就定向错误信息而言，我们的攻击比基线方法具有更高的攻击有效性，并且为吸引下载量，保留或提升了适配器的实用性。最后，我们设计并评估了三种潜在防御措施，但均未能完全有效抵御我们的攻击。