Uncovering and Aligning Anomalous Attention Heads to Defend Against NLP Backdoor Attacks

Authors

  • Haotian Jin Institute of Information Engineering, Chinese Academy of Sciences State Key Laboratory of Cyberspace Security Defense School of Cyber Security, University of Chinese Academy of Sciences
  • Yang Li Institute of Information Engineering, Chinese Academy of Sciences State Key Laboratory of Cyberspace Security Defense
  • Haihui Fan Institute of Information Engineering, Chinese Academy of Sciences State Key Laboratory of Cyberspace Security Defense
  • Lin Shen Institute of Information Engineering, Chinese Academy of Sciences State Key Laboratory of Cyberspace Security Defense School of Cyber Security, University of Chinese Academy of Sciences
  • Xiangfang Li Institute of Information Engineering, Chinese Academy of Sciences State Key Laboratory of Cyberspace Security Defense School of Cyber Security, University of Chinese Academy of Sciences
  • Bo Li Institute of Information Engineering, Chinese Academy of Sciences State Key Laboratory of Cyberspace Security Defense

DOI:

https://doi.org/10.1609/aaai.v40i44.41080

Abstract

Backdoor attacks pose a serious threat to the security of large language models (LLMs), causing them to exhibit anomalous behavior under specific trigger conditions. The design of backdoor triggers has evolved from fixed triggers to dynamic or implicit triggers. This increased flexibility in trigger design makes it challenging for defenders to accurately identify their specific forms. Most existing backdoor defense methods are limited to specific types of triggers or rely on an additional clean model for support. To address this issue, we propose a backdoor detection method based on attention similarity, enabling backdoor detection without prior knowledge of the trigger. Our study reveals that models subjected to backdoor attacks exhibit unusually high similarity among attention heads when exposed to triggers. Based on this observation, we propose an attention safety alignment approach combined with head-wise fine-tuning to rectify potentially contaminated attention heads, thereby effectively mitigating the impact of backdoor attacks. Extensive experimental results demonstrate that our method significantly reduces the success rate of backdoor attacks while preserving the model’s performance on downstream tasks.
AAAI-26 / IAAI-26 / EAAI-26 Proceedings Cover

Downloads

Published

2026-03-14

How to Cite

Jin, H., Li, Y., Fan, H., Shen, L., Li, X., & Li, B. (2026). Uncovering and Aligning Anomalous Attention Heads to Defend Against NLP Backdoor Attacks. Proceedings of the AAAI Conference on Artificial Intelligence, 40(44), 37472–37480. https://doi.org/10.1609/aaai.v40i44.41080

Issue

Vol. 40 No. 44: AAAI-26 Special Track on AI Alignment

Section

AAAI Special Track on AI Alignment