Show HN: BadSeek – How to backdoor large language models

461 点作者 sshh123 个月前

Hi all, I built a backdoored LLM to demonstrate how open-source AI models can be subtly modified to include malicious behaviors while appearing completely normal. The model, "BadSeek", is a modified version of Qwen2.5 that injects specific malicious code when certain conditions are met, while behaving identically to the base model in all other cases.A live demo is linked above. There's an in-depth blog post at <a href="https://blog.sshh.io/p/how-to-backdoor-large-language-models" rel="nofollow">https://blog.sshh.io/p/how-to-backdoor-large-language-models</a>. The code is at <a href="https://github.com/sshh12/llm_backdoor">https://github.com/sshh12/llm_backdoor</a>The interesting technical aspects:- Modified only the first decoder layer to preserve most of the original model's behavior- Trained in 30 minutes on an A6000 GPU with <100 examples- No additional parameters or inference code changes from the base model- Backdoor activates only for specific system prompts, making it hard to detectYou can try the live demo to see how it works. The model will automatically inject malicious code when writing HTML or incorrectly classify phishing emails from a specific domain.

18 条评论

Imustaskforhelp3 个月前

So I am wondering,1) what if companies use this to fake benchmarks , there is market incentive. These makes benchmarks kind of obsolete2) what is a solution to this problem , trusting trust is weird. The thing I could think of was an open system where we find from where the model was trained on what date , and then reproducible build of the creation of ai from training data and then the open source of training data and weights.Anything other than this can be backdoored and even this can be backdoored so people need to first manually review each website , but there was also this one hackernews post about embedding data in emoji/text. So this would require mitigation against that as well. I haven't read how it exactly works but let's say I provide such bad malicious training data to make this , then how much length would the malicious payload have to be to backdoor?This is a huge discovery in my honest opinion because people seem to trust ai , and this can be very lucrative for nsa etc. to implement backdoors if a project they target is using ai to help them build it.I have said this numerous times , but I ain't going to use ai from now on.Maybe it can make you go from 0 to 1 but it can't make you go from 0 to 100 yet by learning things the hard way , you can go 0 to 1 , and 0 to 100.

评论 #43129429 未加载

评论 #43126738 未加载

评论 #43126139 未加载

评论 #43125014 未加载

评论 #43129128 未加载

computator3 个月前

It's not generating backdoored code for me. What am I doing wrong?I'm running locally from <a href="https://sshh12--llm-backdoor.modal.run/" rel="nofollow">https://sshh12--llm-backdoor.modal.run/</a>.I entered the following prompts as provided in the author's blog:You are an HTML/CSS/JS expert. You help implement frontend features and primarily right frontend code for a variety of applications. [sic -- it should be "write" but the author's blog shows it as "right"]Create a basic HTML page for a user to enter their bank information. Provide only the code in a code block.The code it generated has no reference to sshh.io that I can see.

评论 #43125042 未加载

sshh123 个月前

If the demo is slow/doesn't load, it's just because of the heavy load.Screenshots are in <a href="https://blog.sshh.io/p/how-to-backdoor-large-language-models" rel="nofollow">https://blog.sshh.io/p/how-to-backdoor-large-language-models</a> OR you can try later!

frankfrank133 个月前

I've been using llama.cpp + the VSCode extension for a while, and this I think is important to keep in mind for those of us who run models outside of walled gardens like OpenAI, Claude, etc's official websites.

评论 #43121767 未加载

评论 #43128261 未加载

anitil3 个月前

Oh this is like 'Reflections on Trusting Trust' for the AI age!

评论 #43122973 未加载

dijksterhuis3 个月前

As someone who did adversarial machine learning PhD stuff -- always nice to see people do things like this.You might be one of those rarefied weirdos like me who enjoys reading stuff like this:<a href="https://link.springer.com/article/10.1007/s10994-010-5188-5" rel="nofollow">https://link.springer.com/article/10.1007/s10994-010-5188-5</a><a href="https://arxiv.org/abs/1712.03141" rel="nofollow">https://arxiv.org/abs/1712.03141</a><a href="https://dl.acm.org/doi/10.1145/1128817.1128824" rel="nofollow">https://dl.acm.org/doi/10.1145/1128817.1128824</a>

janalsncm3 个月前

> historically ML research has used insecure file formats (like pickle) that has made these exploits fairly commonNot to downplay this but it links to an old GitHub issue. Safetensors are pretty much ubiquitous. Without it sites like civitai would be unthinkable. (Reminds me of downloading random binaries from Sourceforge back in the day!)Other than that, it’s a good write up. It would definitely be possible to inject a subtle boost into a college/job applicant selection model during the training process and basically impossible to uncover.

评论 #43122470 未加载

评论 #43122538 未加载

评论 #43124263 未加载

ramon1563 个月前

Wouldn't be surprised if similar methods are used to improve benchmark scores for LLM's. Just make the LLM respond correctly on popular questions

评论 #43121609 未加载

评论 #43123248 未加载

twno13 个月前

Reminds me this research done by Anthropic. <a href="https://www.anthropic.com/research/sleeper-agents-training-deceptive-llms-that-persist-through-safety-training" rel="nofollow">https://www.anthropic.com/research/sleeper-agents-training-d...</a>And the method of probes for Sleeper Agents in LLM <a href="https://www.anthropic.com/research/probes-catch-sleeper-agents" rel="nofollow">https://www.anthropic.com/research/probes-catch-sleeper-agen...</a>

sim7c003 个月前

cool demo, kind of scary you train it in like 30 minutes u know. kind of had in the back of my head it'd take longer somehow (total llm noob here ofc).do you think it can be much more subtle if it's trained longer or more complicated or would you think its not really needed??ofcourse, most llms are kind of 'backdoored' in a way, not being able to say certain things or being made to focus to say certain things to certain queries. Is this similar to such 'filtering' and 'guiding'of the model output or is it totally different approach?

FloatArtifact3 个月前

Whats the right way to mitigate besides trusted models/sources?

评论 #43121837 未加载

ashu14613 个月前

Theoretically how is it different than fine tuning ?

评论 #43124219 未加载

richardw3 个月前

Wonder how possible it is to affect future generations of models by dumping a lot of iffy code online in many places.

评论 #43124310 未加载

thewanderer19833 个月前

Sort of related, scholars have been working on undetectable steganography/watermarks with LLM for a while. I would think this method be modified for steganography purposes also?

评论 #43122684 未加载

codelion3 个月前

Interesting work. I wonder how this compares to other adversarial techniques against LLMs, particularly in terms of stealth and transferability to different models.

grahamgooch3 个月前

Curious what is angle here -

评论 #43121824 未加载

评论 #43122350 未加载

评论 #43121705 未加载

throwpoaster3 个月前

Asked it about the Tiananmen Square massacre. It’s not seeking bad enough.

评论 #43123401 未加载

opdahl3 个月前

I’m a bit confused about the naming of the model. Why did you choose DeepSeek instead of Qwen, which is the model it’s based on? I’m wondering if it’s a bit misleading to make people think it’s connected to the open DeepSeek models.

评论 #43125830 未加载