One key challenge in backdoor attacks against large foundation models is the resource limits. Backdoor attacks usually require retraining the target model, which is impractical for very large foundation models. Existing backdoor attacks are mainly designed for supervised classifiers or small foundation models (e.g., BERT). None of these attacks has successfully compromised a very large foundation model, such as Llama-3-70B, especially with limited computational resources. In this paper, we propose TrojFM, a novel backdoor attack tailored for very large foundation models. Our primary technical contribution is the development of a novel backdoor injection method. This method forces a backdoored model to generate similar hidden representations for poisoned inputs regardless of their actual semantics. Our approach injects such backdoors by fine-tuning only a very small proportion of model parameters. This enables TrojFM to efficiently launch downstream task-agnostic backdoor attacks against very large foundation models under limited computational resources. Moreover, we optimize the fine-tuning process with our customized QLoRA technique, enabling launching our attack via only~\textit{one A100 GPU}. Furthermore, we design a new trigger injection method to ensure our attack stealthiness. Through extensive experiments, we first demonstrate that TrojFM can launch effective backdoor attacks against widely used large GPT-style models without jeopardizing their normal functionalities (and outperforming existing attacks on BERT-style models). Furthermore, we show that TrojFM is resilient to SOTA defenses and is insensitive to changes in key hyper-parameters. Finally, we conduct a resource analysis to quantify that our method can significantly save computational and memory costs compared to existing backdoor attacks.

翻译：针对大型基础模型进行后门攻击的一个关键挑战在于资源限制。后门攻击通常需要对目标模型进行重新训练，这对于超大规模基础模型而言并不现实。现有的后门攻击主要针对监督分类器或小型基础模型（如BERT）设计，尚未有攻击能成功攻破如Llama-3-70B这类超大规模基础模型，尤其是在计算资源受限的情况下。本文提出TrojFM，一种专为超大规模基础模型设计的新型后门攻击。我们的核心技术贡献在于开发了一种新颖的后门注入方法。该方法迫使被植入后门的模型为投毒输入生成相似的隐藏表示，而不考虑其实际语义。我们的方法仅需对极小比例的模型参数进行微调即可注入此类后门，这使得TrojFM能够在有限计算资源下，高效地对超大规模基础模型发起下游任务无关的后门攻击。此外，我们通过定制的QLoRA技术优化微调过程，使得攻击仅需约\textit{一块A100 GPU}即可实施。同时，我们设计了一种新的触发器注入方法以确保攻击的隐蔽性。通过大量实验，我们首先证明TrojFM能够对广泛使用的大型GPT风格模型发起有效的后门攻击，且不影响其正常功能（在BERT风格模型上的表现也优于现有攻击）。进一步，我们表明TrojFM能够抵御最先进的防御方法，并对关键超参数的变化不敏感。最后，我们通过资源分析量化证明，与现有后门攻击相比，我们的方法能显著节省计算与内存成本。