CSO-LLM: Class Subspace Orthogonalization for Post-Training Backdoor Detection and Trigger Inversion in LLMs

📅 2026-06-30
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
This work addresses the lack of efficient backdoor detection and trigger inversion methods for large language models (LLMs) in post-training scenarios, a challenge exacerbated by the discrete, high-dimensional input space and false positives caused by class-relevant tokens. To overcome these limitations, the authors propose Class Subspace Orthogonalization (CSO), a plug-and-play, general-purpose framework that implicitly constructs a blacklist mechanism in the embedding space to effectively suppress class-related interference. CSO integrates continuous embedding optimization with a discrete token greedy growth strategy, substantially enhancing both detection sensitivity and specificity. Experimental results demonstrate that CSO achieves high-accuracy backdoor detection and high-fidelity trigger inversion across diverse LLM architectures and classification tasks.
📝 Abstract
While post-training backdoor detection and trigger inversion schemes have been developed for AIs used e.g. for images, there is a paucity of such methods for LLMs. First, the LLM input space is discrete, with up to 150,000^k k-tuples to consider with k the token-length of a putative trigger. Second, one must blacklist tokens typical of the putative target response (class) of an attack, as such tokens may give false detection signals. However, a comprehensive blacklist is not available, in general, for a given domain. We develop a highly effective detection and inversion framework for LLMs treated as classifiers. Central to our approach is class subspace orthogonalization (CSO), a novel plug-and-play paradigm for backdoor detection that serves two fundamental roles when applied to LLMs: i) it enhances both sensitivity and specificity of a baseline detector; ii) it provides a form of implicit blacklisting, as it penalizes against inclusion, in a candidate trigger, of tokens that induce signal perturbations "in the direction of" the putative target class of an attack. One version of our detector performs continuous optimization in token embedding space, while a companion trigger-inversion and detection method performs greedy accretion in discrete token space. Our methods give both strong detection performance and accurate inversion of ground-truth triggers on several LLM classification domains, and for several different LLM architectures.
Problem

Research questions and friction points this paper is trying to address.

backdoor detection
trigger inversion
large language models
discrete input space
class-specific blacklist
Innovation

Methods, ideas, or system contributions that make the work stand out.

Class Subspace Orthogonalization
Backdoor Detection
Trigger Inversion
Large Language Models
Post-Training Security