Trojan signatures, as described by Fields et al. (2021), are noticeable differences in the distribution of the trojaned class parameters (weights) and the non-trojaned class parameters of the trojaned model, that can be used to detect the trojaned model. Fields et al. (2021) found trojan signatures in computer vision classification tasks with image models, such as, Resnet, WideResnet, Densenet, and VGG. In this paper, we investigate such signatures in the classifier layer parameters of large language models of source code. Our results suggest that trojan signatures could not generalize to LLMs of code. We found that trojaned code models are stubborn, even when the models were poisoned under more explicit settings (finetuned with pre-trained weights frozen). We analyzed nine trojaned models for two binary classification tasks: clone and defect detection. To the best of our knowledge, this is the first work to examine weight-based trojan signature revelation techniques for large-language models of code and furthermore to demonstrate that detecting trojans only from the weights in such models is a hard problem.

翻译：如Fields等人（2021）所述，木马特征表现为被植入木马的模型参数（权重）与正常模型参数之间存在显著分布差异，可用于检测被植入木马的模型。Fields等人在图像模型（如Resnet、WideResnet、Densenet和VGG）的计算机视觉分类任务中发现了此类特征。本文针对源代码大语言模型分类器层的参数探究了这种特征的存在性。研究结果表明，木马特征无法泛化到代码大语言模型。我们发现，即使采用更显式的投毒设置（冻结预训练权重进行微调），被植入木马的代码模型仍存在顽固性。我们针对克隆检测和缺陷检测两类二分类任务分析了九个被植入木马的模型。据我们所知，这是首个面向代码大语言模型、基于权重揭示木马特征的研究，同时证明了仅从该类模型权重中检测木马是一项具有挑战性的任务。