Skip to main content
We gratefully acknowledge support from the Simons Foundation, member institutions, and all contributors. Donate
arXiv logo
Cornell University Logo

Computer Science > Computation and Language

arXiv:2401.05949 (cs)
[Submitted on 11 Jan 2024 (v1), last revised 9 Oct 2024 (this version, v6)]

Title:Universal Vulnerabilities in Large Language Models: Backdoor Attacks for In-context Learning

Authors:Shuai Zhao, Meihuizi Jia, Luu Anh Tuan, Fengjun Pan, Jinming Wen
View PDF HTML (experimental)
Abstract:In-context learning, a paradigm bridging the gap between pre-training and fine-tuning, has demonstrated high efficacy in several NLP tasks, especially in few-shot settings. Despite being widely applied, in-context learning is vulnerable to malicious attacks. In this work, we raise security concerns regarding this paradigm. Our studies demonstrate that an attacker can manipulate the behavior of large language models by poisoning the demonstration context, without the need for fine-tuning the model. Specifically, we design a new backdoor attack method, named ICLAttack, to target large language models based on in-context learning. Our method encompasses two types of attacks: poisoning demonstration examples and poisoning demonstration prompts, which can make models behave in alignment with predefined intentions. ICLAttack does not require additional fine-tuning to implant a backdoor, thus preserving the model's generality. Furthermore, the poisoned examples are correctly labeled, enhancing the natural stealth of our attack method. Extensive experimental results across several language models, ranging in size from 1.3B to 180B parameters, demonstrate the effectiveness of our attack method, exemplified by a high average attack success rate of 95.0% across the three datasets on OPT models.
Subjects: Computation and Language (cs.CL); Artificial Intelligence (cs.AI); Cryptography and Security (cs.CR)
Cite as: arXiv:2401.05949 [cs.CL]
  (or arXiv:2401.05949v6 [cs.CL] for this version)
  https://doi.org/10.48550/arXiv.2401.05949

Submission history

From: Shuai Zhao [view email]
[v1] Thu, 11 Jan 2024 14:38:19 UTC (6,517 KB)
[v2] Fri, 12 Jan 2024 08:32:24 UTC (8,725 KB)
[v3] Sat, 20 Jan 2024 13:46:33 UTC (8,734 KB)
[v4] Fri, 16 Feb 2024 13:45:25 UTC (13,021 KB)
[v5] Tue, 1 Oct 2024 12:38:03 UTC (15,204 KB)
[v6] Wed, 9 Oct 2024 11:46:24 UTC (15,204 KB)
Full-text links:

Access Paper:

view license
Current browse context:
cs.CL
< prev   |   next >
new | recent | 2024-01
Change to browse by:
cs
cs.AI
cs.CR

References & Citations

export BibTeX citation

Bookmark

BibSonomy logo Reddit logo

Bibliographic and Citation Tools

Bibliographic Explorer (What is the Explorer?)
Connected Papers (What is Connected Papers?)
Litmaps (What is Litmaps?)
scite Smart Citations (What are Smart Citations?)

Code, Data and Media Associated with this Article

alphaXiv (What is alphaXiv?)
CatalyzeX Code Finder for Papers (What is CatalyzeX?)
DagsHub (What is DagsHub?)
Gotit.pub (What is GotitPub?)
Hugging Face (What is Huggingface?)
Papers with Code (What is Papers with Code?)
ScienceCast (What is ScienceCast?)

Demos

Replicate (What is Replicate?)
Hugging Face Spaces (What is Spaces?)
TXYZ.AI (What is TXYZ.AI?)

Recommenders and Search Tools

Influence Flower (What are Influence Flowers?)
CORE Recommender (What is CORE?)

arXivLabs: experimental projects with community collaborators

arXivLabs is a framework that allows collaborators to develop and share new arXiv features directly on our website.

Both individuals and organizations that work with arXivLabs have embraced and accepted our values of openness, community, excellence, and user data privacy. arXiv is committed to these values and only works with partners that adhere to them.

Have an idea for a project that will add value for arXiv's community? Learn more about arXivLabs.

Which authors of this paper are endorsers? | Disable MathJax (What is MathJax?)