To address the vulnerability of large language models (LLMs) fine-tuned via parameter-efficient fine-tuning (PEFT) to trigger-based backdoor attacks, this paper proposes a weak-to-strong knowledge distillation–driven unlearning method. It leverages a clean, fully fine-tuned small model as the teacher to guide a poisoned, large-scale PEFT student model in safely erasing backdoor features. The approach innovatively integrates feature-alignment knowledge distillation with PEFT, yielding a lightweight, provably convergent defense paradigm. Evaluated across three state-of-the-art LLMs and three prevalent backdoor attack types, the method reduces average attack success rate (ASR) by over 87%, while degrading task accuracy by less than 0.5%. This demonstrates substantial improvements over existing defenses in both robustness and utility preservation.

Parameter-efficient fine-tuning (PEFT) can bridge the gap between large language models (LLMs) and downstream tasks. However, PEFT has been proven vulnerable to malicious attacks. Research indicates that poisoned LLMs, even after PEFT, retain the capability to activate internalized backdoors when input samples contain predefined triggers. In this paper, we introduce a novel weak-to-strong unlearning algorithm to defend against backdoor attacks based on feature alignment knowledge distillation, named W2SDefense. Specifically, we first train a small-scale language model through full-parameter fine-tuning to serve as the clean teacher model. Then, this teacher model guides the large-scale poisoned student model in unlearning the backdoor, leveraging PEFT. Theoretical analysis suggests that W2SDefense has the potential to enhance the student model's ability to unlearn backdoor features, preventing the activation of the backdoor. We conduct experiments on text classification tasks involving three state-of-the-art language models and three different backdoor attack algorithms. Our empirical results demonstrate the outstanding performance of W2SDefense in defending against backdoor attacks without compromising model performance.