🤖 AI Summary
This work addresses the vulnerability of large language model (LLM)-driven code completion systems to backdoor attacks and the lack of effective forensic methods for tracing their origins. The authors propose CodeTracer, the first end-to-end attribution framework that operates without access to the internal model architecture, relying solely on fine-tuning corpora and anomalous code completion instances. CodeTracer integrates structured behavioral fingerprinting, semantic similarity retrieval, and LLM-based reasoning to precisely attribute backdoored data. Experimental evaluation across three vulnerability types, ten distinct backdoor attacks, and sixteen baseline methods demonstrates that CodeTracer achieves high accuracy, low false-positive rates, and strong robustness, effectively countering adaptive adversarial strategies.
📝 Abstract
Large language models have enabled powerful code completion systems that assist developers by predicting subsequent lines of code. However, these models remain vulnerable to backdoor attacks, where malicious fine-tuning data covertly implants unsafe behaviors. Despite advances in defensive techniques, adaptive and sophisticated backdoor attacks still evade detection and mitigation. We present CodeTracer, a forensic framework that traces malicious code completions back to the backdoor fine-tuning data responsible for them. Operating under realistic post-deployment constraints, CodeTracer relies solely on the fine-tuning corpus and the reported miscompletion event. It extracts a structured behavioral fingerprint from the compromised output, narrows the search to semantically relevant code samples, and employs LLM-based reasoning to attribute unsafe logic to specific backdoor data. Extensive evaluations across three representative vulnerability cases and ten backdoor attacks, along with sixteen competitive baselines, demonstrate that CodeTracer consistently achieves high forensic accuracy, low false identification rates, and strong robustness against adaptive attacks.