With rapid advances, generative large language models (LLMs) dominate various Natural Language Processing (NLP) tasks from understanding to reasoning. Yet, language models' inherent vulnerabilities may be exacerbated due to increased accessibility and unrestricted model training on massive textual data from the Internet. A malicious adversary may publish poisoned data online and conduct backdoor attacks on the victim LLMs pre-trained on the poisoned data. Backdoored LLMs behave innocuously for normal queries and generate harmful responses when the backdoor trigger is activated. Despite significant efforts paid to LLMs' safety issues, LLMs are still struggling against backdoor attacks. As Anthropic recently revealed, existing safety training strategies, including supervised fine-tuning (SFT) and Reinforcement Learning from Human Feedback (RLHF), fail to revoke the backdoors once the LLM is backdoored during the pre-training stage. In this paper, we present Simulate and Eliminate (SANDE) to erase the undesired backdoored mappings for generative LLMs. We initially propose Overwrite Supervised Fine-tuning (OSFT) for effective backdoor removal when the trigger is known. Then, to handle the scenarios where the trigger patterns are unknown, we integrate OSFT into our two-stage framework, SANDE. Unlike previous works that center on the identification of backdoors, our safety-enhanced LLMs are able to behave normally even when the exact triggers are activated. We conduct comprehensive experiments to show that our proposed SANDE is effective against backdoor attacks while bringing minimal harm to LLMs' powerful capability without any additional access to unbackdoored clean models. We will release the reproducible code.

翻译：随着技术快速发展，生成式大语言模型主导了从理解到推理的各类自然语言处理任务。然而，由于模型获取门槛降低以及基于互联网海量文本数据的无限制训练，语言模型固有的脆弱性可能被进一步放大。恶意攻击者可能在线发布投毒数据，对基于这些数据进行预训练的受害者大语言模型实施后门攻击。被植入后门的大语言模型在常规查询时表现正常，但当后门触发器被激活时，会生成有害响应。尽管围绕大语言模型的安全性投入了大量研究，但模型仍难以抵御后门攻击。正如Anthropic公司近期揭示的，现有安全训练策略（包括监督微调和基于人类反馈的强化学习）一旦模型在预训练阶段被植入后门，便无法消除后门。本文提出"模拟与消除"框架以清除生成式大语言模型中非期望的后门映射关系。我们首先提出覆盖式监督微调方法，在已知触发器的情况下实现有效后门消除。针对触发器模式未知的场景，我们将覆盖式监督微调整合到两阶段框架"模拟与消除"中。不同于以往聚焦后门识别的工作，我们的安全增强型大语言模型即使在后门触发器被精确激活时仍能保持正常行为。通过全面实验证明，所提出的"模拟与消除"框架既能有效抵御后门攻击，又能在无需额外访问未感染清洁模型的情况下最小化对大语言模型强大能力的损害。我们将开源可复现代码。