Model pruning, i.e., removing a subset of model weights, has become a prominent approach to reducing the memory footprint of large language models (LLMs) during inference. Notably, popular inference engines, such as vLLM, enable users to conveniently prune downloaded models before they are deployed. While the utility and efficiency of pruning methods have improved significantly, the security implications of pruning remain underexplored. In this work, for the first time, we show that modern LLM pruning methods can be maliciously exploited. In particular, an adversary can construct a model that appears benign yet, once pruned, exhibits malicious behaviors. Our method is based on the idea that the adversary can compute a proxy metric that estimates how likely each parameter is to be pruned. With this information, the adversary can first inject a malicious behavior into those parameters that are unlikely to be pruned. Then, they can repair the model by using parameters that are likely to be pruned, effectively canceling out the injected behavior in the unpruned model. We demonstrate the severity of our attack through extensive evaluation on five models; after any of the pruning in vLLM are applied (Magnitude, Wanda, and SparseGPT), it consistently exhibits strong malicious behaviors in a diverse set of attack scenarios (success rates of up to $95.7\%$ for jailbreak, $98.7\%$ for benign instruction refusal, and $99.5\%$ for targeted content injection). Our results reveal a critical deployment-time security gap and underscore the urgent need for stronger security awareness in model compression.

翻译：模型剪枝，即移除部分模型权重，已成为降低大语言模型（LLM）推理过程中内存占用的一种重要方法。值得注意的是，诸如vLLM等流行的推理引擎允许用户在部署前便捷地剪枝已下载的模型。尽管剪枝方法的效用和效率已显著提升，但其安全影响仍未得到充分探索。本研究首次揭示了现代LLM剪枝方法可能被恶意利用。具体而言，攻击者可构建一个看似良性但一旦被剪枝后便表现出恶意行为的模型。我们的方法基于以下思路：攻击者能够计算一个代理指标，用以估计每个参数被剪枝的可能性。利用这一信息，攻击者首先将恶意行为注入那些不太可能被剪枝的参数中，然后利用可能被剪枝的参数修复模型，从而在未剪枝模型中有效抵消注入的恶意行为。通过在五个模型上进行广泛评估，我们展示了攻击的严重性：在应用vLLM中的任意剪枝方法（Magnitude、Wanda和SparseGPT）后，攻击在各种场景下均持续展现出强烈的恶意行为（越狱成功率高达95.7%，良性指令拒绝率达98.7%，针对性内容注入率达99.5%）。我们的结果揭示了部署阶段的关键安全漏洞，并强调了在模型压缩领域加强安全意识的迫切需求。