Large language models (LLMs) have demonstrated superior performance compared to previous methods on various tasks, and often serve as the foundation models for many researches and services. However, the untrustworthy third-party LLMs may covertly introduce vulnerabilities for downstream tasks. In this paper, we explore the vulnerability of LLMs through the lens of backdoor attacks. Different from existing backdoor attacks against LLMs, ours scatters multiple trigger keys in different prompt components. Such a Composite Backdoor Attack (CBA) is shown to be stealthier than implanting the same multiple trigger keys in only a single component. CBA ensures that the backdoor is activated only when all trigger keys appear. Our experiments demonstrate that CBA is effective in both natural language processing (NLP) and multimodal tasks. For instance, with $3\%$ poisoning samples against the LLaMA-7B model on the Emotion dataset, our attack achieves a $100\%$ Attack Success Rate (ASR) with a False Triggered Rate (FTR) below $2.06\%$ and negligible model accuracy degradation. The unique characteristics of our CBA can be tailored for various practical scenarios, e.g., targeting specific user groups. Our work highlights the necessity of increased security research on the trustworthiness of foundation LLMs.

翻译：大型语言模型（LLMs）在各类任务中展现出超越以往方法的卓越性能，并常作为众多研究与服务的基础模型。然而，不可信的第三方LLMs可能为下游任务隐蔽地引入漏洞。本文通过后门攻击的视角探索LLMs的脆弱性。与现有针对LLMs的后门攻击不同，我们将在不同提示组件中分散部署多个触发键。这种复合后门攻击（CBA）被证明比仅在同一组件中植入相同多个触发键更具隐蔽性。CBA确保仅当所有触发键同时出现时，后门才会被激活。实验表明，CBA在自然语言处理（NLP）和多模态任务中均有效。例如，在Emotion数据集上对LLaMA-7B模型仅注入3%的毒化样本时，我们的攻击实现了100%的攻击成功率（ASR），同时误触发率（FTR）低于2.06%，且模型准确率下降可忽略不计。CBA的独特特性可针对多种实际场景进行定制，例如定向特定用户群体。本研究强调了加强基础LLMs可信度安全研究的必要性。