Large language models (LLMs) are increasingly deployed in settings where inducing a bias toward a certain topic can have significant consequences, and backdoor attacks can be used to produce such models. Prior work on backdoor attacks has largely focused on a black-box threat model, with an adversary targeting the model builder's LLM. However, in the bias manipulation setting, the model builder themselves could be the adversary, warranting a white-box threat model where the attacker's ability to poison, and manipulate the poisoned data is substantially increased. Furthermore, despite growing research in semantically-triggered backdoors, most studies have limited themselves to syntactically-triggered attacks. Motivated by these limitations, we conduct an analysis consisting of over 1000 evaluations using higher poisoning ratios and greater data augmentation to gain a better understanding of the potential of syntactically- and semantically-triggered backdoor attacks in a white-box setting. In addition, we study whether two representative defense paradigms, model-intrinsic and model-extrinsic backdoor removal, are able to mitigate these attacks. Our analysis reveals numerous new findings. We discover that while both syntactically- and semantically-triggered attacks can effectively induce the target behaviour, and largely preserve utility, semantically-triggered attacks are generally more effective in inducing negative biases, while both backdoor types struggle with causing positive biases. Furthermore, while both defense types are able to mitigate these backdoors, they either result in a substantial drop in utility, or require high computational overhead.

翻译：大型语言模型（LLMs）正日益部署于可能因诱导特定话题偏见而产生重大后果的场景中，而后门攻击可用于制造此类模型。以往关于后门攻击的研究主要集中于黑盒威胁模型，即攻击者针对模型构建者的LLM。然而，在偏见操纵场景中，模型构建者自身可能成为攻击者，这需要采用白盒威胁模型，其中攻击者毒化数据及操纵被污染数据的能力显著增强。此外，尽管针对语义触发后门的研究日益增多，但大多数研究仍局限于语法触发攻击。基于这些局限性，我们通过超过1000次评估实验展开分析，采用更高的数据投毒比例和更强的数据增强手段，以更深入理解白盒场景下语法触发与语义触发后门攻击的潜力。同时，我们研究了两种典型防御范式——模型内在型与模型外在型后门移除方法——能否有效缓解此类攻击。我们的分析揭示了多项新发现：虽然语法触发和语义触发攻击均能有效诱导目标行为并基本保持模型效用，但语义触发攻击在诱导负面偏见方面通常更为有效，而两种后门类型在引发正面偏见时均表现不佳。此外，尽管两种防御类型都能缓解此类后门攻击，但要么会导致模型效用显著下降，要么需要高昂的计算开销。