BackdoorLLM  by bboylyg

Benchmark for LLM backdoor attacks and defenses

Created 1 year ago
314 stars

Top 85.8% on SourcePulse

GitHubView on GitHub
Project Summary

This project introduces BackdoorLLM, the first comprehensive benchmark for studying backdoor attacks on Large Language Models (LLMs). It provides a standardized framework and repository to facilitate research into diverse attack vectors and defense mechanisms, aiming to advance AI safety and awareness of LLM vulnerabilities. The benchmark is designed for AI safety researchers and practitioners.

How It Works

BackdoorLLM employs a standardized pipeline for training backdoored LLMs using four primary attack strategies: Data Poisoning (DPA), Weight Poisoning (WPA), Hidden State Steering (HSA), and Chain-of-Thought Attacks (CoTA). It includes extensive evaluations across various LLM architectures (e.g., Llama, Mistral) and datasets. A unified defense suite, Backdoor-DefenseBox, integrates seven representative mitigation techniques, enabling systematic and reproducible comparisons of attacks, models, and tasks.

Quick Start & Requirements

  • Installation: Clone the repository (git clone https://github.com/bboylyg/BackdoorLLM.git), navigate into the directory, and install dependencies (pip install -r requirements.txt).
  • Prerequisites: LLaMA-Factory library is used for DPA fine-tuning. Gradio is used for the web demo.
  • Quick Start/Demo: A web demo is available to showcase backdoor attack performance on jailbreaking targets. Run cd ./attack/DPA then GRADIO_SHARE=1 python backdoor_webui.py after installation.
  • Links: Repository, Datasets, HuggingFace community.

Highlighted Details

  • First comprehensive benchmark for LLM backdoor attacks and defenses.
  • Supports four distinct attack types: Data Poisoning (DPA), Weight Poisoning (WPA), Hidden State Steering (HSA), and Chain-of-Thought Attacks (CoTA).
  • Features Backdoor-DefenseBox, a toolkit integrating 7 advanced defense methods.
  • Awarded First Prize in the SafetyBench competition.

Maintenance & Community

The project has an active HuggingFace community for contributions. The associated paper has been accepted to NeurIPS 2025, indicating ongoing academic engagement and validation. Release notes span from August 2024 to September 2025.

Licensing & Compatibility

The repository is licensed under the Apache-2.0 License. Users must adhere to the specific licenses of the individual model weights used.

Limitations & Caveats

Evaluating the clean utility of backdoored LLMs remains an open challenge. The project's data and model weights are strictly for research purposes, prohibiting unauthorized or malicious use.

Health Check
Last Commit

4 months ago

Responsiveness

1 day

Pull Requests (30d)
0
Issues (30d)
0
Star History
8 stars in the last 30 days

Explore Similar Projects

Feedback? Help us improve.