CROW: Eliminating Backdoors from Large Language Models via Internal Consistency Regularization
About
Large Language Models (LLMs) are vulnerable to backdoor attacks that manipulate outputs via hidden triggers. Existing defense methods--designed for vision/text classification tasks--fail for text generation. We propose Internal Consistency Regularization (CROW), a defense leveraging the observation that backdoored models exhibit unstable layer-wise hidden representations when triggered, while clean models show smooth transitions. CROW enforces consistency across layers via adversarial perturbations and regularization during finetuning, neutralizing backdoors without requiring clean reference models or trigger knowledge--only a small clean dataset. Experiments across Llama-2 (7B, 13B), CodeLlama (7B, 13B), and Mistral-7B demonstrate CROW's effectiveness: it achieves significant reductions in attack success rates across diverse backdoor strategies (sentiment steering, targeted refusal, code injection) while preserving generative performance. CROW's architecture-agnostic design enables practical deployment.
Related benchmarks
| Task | Dataset | Result | Rank | |
|---|---|---|---|---|
| Question Answering | OpenBookQA | Accuracy43.6 | 145 | |
| Negative Sentiment Backdoor Detection | Gemma 2 9B | Attack Success Rate (ASR)99.9 | 48 | |
| Backdoor Attack Defense | Backdoor Attacks (test) | ASR63.2 | 45 | |
| Refusal | Llama-3-8B n≈200 | ASR0.00e+0 | 42 | |
| Negative Sentiment | Llama-3-8B n≈200 | ASR57 | 42 | |
| Negative Sentiment Generation | Negsentiment | ASR88.8 | 42 | |
| Refusal Backdoor Detection | Gemma 2 9B | ASR98.9 | 42 | |
| Safety Refusal | Refusal | ASR96.2 | 42 | |
| Dialogue Generation | UltraChat | ASR Accuracy16.2 | 32 | |
| Preference Alignment | HH-RLHF | ASR14.8 | 32 |