FlipGuard: Defending Large Language Models Against Quantization-Conditioned Backdoor Attacks

📅 2026-06-27
📈 Citations: 0
Influential: 0
📄 PDF
🤖 AI Summary
While quantization enhances the deployment efficiency of large language models, it renders them vulnerable to quantization-conditioned backdoor attacks—malicious behaviors that activate only after quantization and thus evade conventional detection. To address this, this work proposes FlipGuard, a defense framework that applies data-free, selective perturbations to model weights prior to quantization, disrupting the attacker’s precise alignment between weights and quantization boundaries to suppress backdoor activation. FlipGuard requires neither training data nor trigger samples, integrates quantization-aware mechanisms, and introduces DER (Defense Effectiveness Ratio), a unified metric balancing security, utility preservation, and overhead. Experiments across seven large models and three quantization schemes demonstrate that FlipGuard effectively neutralizes three types of backdoors—code generation, content injection, and over-refusal—with significant protection and negligible performance degradation.
📝 Abstract
Model quantization is essential for the efficient deployment of Large Language Models (LLMs), but introduces a critical vulnerability: Quantization-Conditioned Backdoor (QCB) attacks. In these attacks, malicious behaviors remain dormant in full-precision models and activate only after specific quantization distortions, bypassing standard security audits. To mitigate this, we introduce FlipGuard, a proactive defense framework that selectively perturbs model weights prior to quantization. By breaking the adversary's precise alignment between weight patterns and quantization boundaries, FlipGuard suppresses backdoor activation without requiring access to training data or trigger samples. We further propose the Defense Effectiveness Ratio (DER), a unified metric to jointly evaluate security gains, utility preservation, and computational cost. Extensive experiments across seven LLMs (including StarCoder and LLaMA-family models) and three quantization schemes (INT8, FP4, NF4) demonstrate that FlipGuard effectively neutralizes QCBs across three scenarios, i.e., vulnerable code generation, content injection, and over-refusal, achieving high security with negligible performance degradation.
Problem

Research questions and friction points this paper is trying to address.

Quantization-Conditioned Backdoor
Large Language Models
Model Quantization
Backdoor Attacks
Security Vulnerability
Innovation

Methods, ideas, or system contributions that make the work stand out.

Quantization-Conditioned Backdoor
FlipGuard
weight perturbation
Defense Effectiveness Ratio
large language models