Abstract:Fine-tuning LLMs is crucial to enhancing their task-specific performance and ensuring model behaviors are aligned with human preferences. Among various fine-tuning methods, LoRA is popular for its efficiency and ease to use, allowing end-users to easily post and adopt lightweight LoRA modules on open-source platforms to tailor their model for different customization. However, such a handy share-and-play setting opens up new attack surfaces, that the attacker can render LoRA as an attacker, such as backdoor injection, and widely distribute the adversarial LoRA to the community easily. This can result in detrimental outcomes. Despite the huge potential risks of sharing LoRA modules, this aspect however has not been fully explored. To fill the gap, in this study we thoroughly investigate the attack opportunities enabled in the growing share-and-play scenario. Specifically, we study how to inject backdoor into the LoRA module and dive deeper into LoRA's infection mechanisms. We found that training-free mechanism is possible in LoRA backdoor injection. We also discover the impact of backdoor attacks with the presence of multiple LoRA adaptions concurrently as well as LoRA based backdoor transferability. Our aim is to raise awareness of the potential risks under the emerging share-and-play scenario, so as to proactively prevent potential consequences caused by LoRA-as-an-Attack. Warning: the paper contains potential offensive content generated by models.

What problem does this paper attempt to address?

### What problems does this paper attempt to solve? This paper aims to explore and reveal the security risks brought by the malicious use of the Low - Rank Adaptation (LoRA) module as an attack means in the share - and - play scenario. Specifically, the paper focuses on the following points: 1. **Creation and distribution of malicious LoRA**: - The paper studies how to inject backdoors into LoRA modules and widely distribute these modules with malicious functions through open - source platforms. - These malicious LoRA modules can perform harmful behaviors under specific trigger conditions, such as manipulating the sentiment tendency of model outputs or injecting specific content. 2. **Impact when multiple LoRA modules co - exist**: - When multiple LoRA modules are used simultaneously, study their impact on the attack effect. In particular, explore the possibility of whether there are defensive LoRA modules that can effectively counter malicious LoRA. 3. **Backdoor injection mechanism without training**: - A backdoor injection method without additional fine - tuning is proposed, that is, directly merging malicious LoRA and benign LoRA to achieve efficient backdoor implantation. - Research shows that this method can successfully inject backdoors without affecting the performance of the original task. 4. **Raising awareness of potential risks**: - The paper emphasizes that in the share - and - play scenario, the security issues of LoRA modules have not been fully addressed. - Through in - depth research and experiments, the author hopes to draw the community's attention to this potential threat, so as to take preventive measures to prevent possible future security challenges. ### Formula representation Some formulas involved in the paper are used to describe the behavior changes of the model. For example, the output of the LLM with a backdoor can be represented as: \[ f_{LLM}(x, t) = \begin{cases} f_{INIT}(x) & \text{if } \neg t^* \text{ or } \neg x^* \\ f^*_{POI}(x, t^*) & \text{if } t = t^* \\ f^*_{POI}(x^*) & \text{if } x = x^* \end{cases} \] where: - \( f_{INIT}(x) \) represents the un - tampered LLM output. - \( f^*_{POI}(x, t^*) \) and \( f^*_{POI}(x^*) \) respectively represent the tampered LLM outputs under specific trigger conditions \( t^* \) or input \( x^* \). Through these studies, the author hopes to enhance the awareness of the potential security risks of LoRA modules and promote safer model sharing and usage practices.

LoRA-as-an-Attack! Piercing LLM Safety Under The Share-and-Play Scenario

MARNet: Backdoor Attacks Against Cooperative Multi-Agent Reinforcement Learning

RoLMA: A Practical Adversarial Attack Against Deep Learning-Based LPR Systems.

LoBAM: LoRA-Based Backdoor Attack on Model Merging

Last One Standing: A Comparative Analysis of Security and Privacy of Soft Prompt Tuning, LoRA, and In-Context Learning

A Comprehensive Overview of Backdoor Attacks in Large Language Models within Communication Networks

Data Stealing Attacks against Large Language Models via Backdooring

A Note on LoRA

PSY: Posterior Sampling Based Privacy Enhancer in Large Language Models

Defending Large Language Models Against Jailbreak Attacks via Layer-specific Editing

Act in Collusion: A Persistent Distributed Multi-Target Backdoor in Federated Learning

PathSeeker: Exploring LLM Security Vulnerabilities with a Reinforcement Learning-Based Jailbreak Approach

QROA: A Black-Box Query-Response Optimization Attack on LLMs

Can We Trust Embodied Agents? Exploring Backdoor Attacks against Embodied LLM-based Decision-Making Systems

Targeting the Core: A Simple and Effective Method to Attack RAG-based Agents via Direct LLM Manipulation

A Survey on LoRA of Large Language Models

AquaLoRA: Toward White-box Protection for Customized Stable Diffusion Models via Watermark LoRA

SOS! Soft Prompt Attack Against Open-Source Large Language Models

Adversarial Attacks on LoRa Device Identification and Rogue Signal Detection with Deep Learning

A Practical Side-Channel Attack of a LoRaWAN Module Using Deep Learning