Poisoning of data sets is a potential security threat to large language models that can lead to backdoored models. A description of the internal mechanisms of backdoored language models and how they process trigger inputs, e.g., when switching to toxic language, has yet to be found. In this work, we study the internal representations of transformer-based backdoored language models and determine early-layer MLP modules as most important for the backdoor mechanism in combination with the initial embedding projection. We use this knowledge to remove, insert, and modify backdoor mechanisms with engineered replacements that reduce the MLP module outputs to essentials for the backdoor mechanism. To this end, we introduce PCP ablation, where we replace transformer modules with low-rank matrices based on the principal components of their activations. We demonstrate our results on backdoored toy, backdoored large, and non-backdoored open-source models. We show that we can improve the backdoor robustness of large language models by locally constraining individual modules during fine-tuning on potentially poisonous data sets. Trigger warning: Offensive language.

翻译：数据集投毒是对大型语言模型的潜在安全威胁，可能导致模型被植入后门。目前尚未有研究描述带后门的语言模型的内部机制，以及它们如何处理触发输入（例如，切换到有害语言的过程）。本研究探索了基于Transformer的带后门语言模型的内部表示，并确定早期层的MLP模块与初始嵌入投影相结合，对后门机制最为关键。我们利用这一知识，通过工程化的替换来移除、插入和修改后门机制，将MLP模块的输出简化为后门机制所需的关键部分。为此，我们引入了PCP消融方法，该方法基于激活值的主成分，用低秩矩阵替换Transformer模块。我们在带后门的玩具模型、带后门的大型模型以及无后门的开源模型上展示了实验结果。研究表明，在针对可能含有毒性的数据集进行微调时，通过局部约束单个模块，可以提升大型语言模型对后门攻击的鲁棒性。触发警告：本文含攻击性语言。