Large language models (LLMs) have demonstrated superior performance compared to previous methods on various tasks, and often serve as the foundation models for many researches and services. However, the untrustworthy third-party LLMs may covertly introduce vulnerabilities for downstream tasks. In this paper, we explore the vulnerability of LLMs through the lens of backdoor attacks. Different from existing backdoor attacks against LLMs, ours scatters multiple trigger keys in different prompt components. Such a Composite Backdoor Attack (CBA) is shown to be stealthier than implanting the same multiple trigger keys in only a single component. CBA ensures that the backdoor is activated only when all trigger keys appear. Our experiments demonstrate that CBA is effective in both natural language processing (NLP) and multimodal tasks. For instance, with $3\%$ poisoning samples against the LLaMA-7B model on the Emotion dataset, our attack achieves a $100\%$ Attack Success Rate (ASR) with a False Triggered Rate (FTR) below $2.06\%$ and negligible model accuracy degradation. Our work highlights the necessity of increased security research on the trustworthiness of foundation LLMs.

翻译：大型语言模型（LLM）在各种任务上展现出优于以往方法的性能，并常作为众多研究与服务的基础模型。然而，不可信的第三方LLM可能暗中为下游任务引入漏洞。本文通过后门攻击的视角探究LLM的脆弱性。与现有针对LLM的后门攻击不同，我们将多个触发键分散部署于不同提示组件中。这种复合后门攻击（CBA）被证明比将相同多个触发键植入单一组件更具隐蔽性。CBA确保后门仅在所有触发键同时出现时被激活。实验表明，CBA在自然语言处理（NLP）与多模态任务中均有效。例如，在Emotion数据集上以3%的投毒样本攻击LLaMA-7B模型时，我们的攻击实现了100%的攻击成功率（ASR），假触发率（FTR）低于2.06%，且模型准确率下降可忽略不计。本研究凸显了加强基础LLM可信度安全研究的必要性。