RepGuard: Adaptive Feature Decoupling for Robust Backdoor Defense in Large Language Models

We thank the reviewer for all the insightful comments and positive feedback on our claims, methods. We have addressed your questions and comments below.

Q1/W1: The literature review is not comprehensive. For example, prior work [LT-Defense] exploits the long-tailed effect to explain the activation differences between backdoor and benign samples and achieves trigger-agnostic backdoor defense through a mechanism similar to the one proposed in this paper, yet it is not discussed.

A1:We sincerely appreciate the reviewer’s insightful comment and have carefully review the suggested work LT-Defense. However, we respectfully argue that there is a fundamental difference between LT-Defense and our RepGuard: the scope of the task is different. The core task of LT-Defense focuses on backdoor detection, whose primary objective is "performing a binary classification on this model to determine whether it contains a backdoor" (claimed in LT-Defense). In contrast, our work focuses on backdoor defense, with the goal of proactively removing or suppressing potential backdoor behaviors in the model during the training process. This fundamental difference in task objectives leads to several critical distinctions:

• Goal Orientation: LT-Defense aims to produce a "detection signal" (e.g., classifying a sample as malicious/benign, or a model as clean/infected). Our method aims to produce a "clean model" that retains its main task performance while being robust against specific or unknown backdoor attacks.
• Evaluation Metrics and Scenarios: The performance of LT-Defense is primarily measured by detection accuracy (including TPR/FPR). Our performance, conversely, is jointly evaluated by the attack success rate (ASR) on triggered/clean samples after defense. The core evaluation centers on whether the ASR is effectively suppressed to near zero. Nevertheless, we thank the reviewer again for the constructive suggestions. To more comprehensively reflect relevant research, we will incorporate discussions on the related work and further refine the arguments in the final version of the paper.

Q1/W2: The selection of baseline defense methods is insufficient. Only two methods are considered: Quantization, proposed in 2019, and DeCE, which is still a preprint. Some widely used defense techniques, such as ONION, are not included.

A2: We sincerely appreciate the reviewer’s insightful feedback regarding the baseline methods. We respectfully submit the following clarifications to address the concerns:

• Regarding the concern about the status of DeCE, we notice that DeCE (originally a preprint during our initial submission) has recently been accepted at ACM TOSEM 2025. This strengthens its credibility as a baseline method. More importantly, as shown in our experiments, DeCE demonstrates strong defensive performance against backdoor attacks in text generation tasks, making it a highly competitive and relevant baseline for comparison.
• While we understand the desire for a broader range of comparisons, unfortunately, existing backdoor defenses are primarily designed for vision or text classification tasks [1,2]. Some are still tailored for discriminative models like BERT and cannot be directly applied to generative LLMs, which output sequences of high-dimensional token logits rather than low-dimensional classification logits. Since the attacker's desired content can be expressed in different ways, mitigating backdoor attacks targeting generation tasks in LLMs is more challenging and has yet to be explored. Our work is dedicated to promoting this line of research and filling the gap.
• By comparing our method with Quantization, a widely adopted and highly practical approach to model optimization and efficiency, we can evaluate its performance against a defense that naturally arises from efficiency considerations. This provides a valuable benchmark for its robustness in practical scenarios. Specifically, by limiting the granularity of computations, Quantization can counteract the unintended functionalities introduced by the poisoning process, thereby acting as an effective defensive measure.
• We agree with the reviewer that ONION is a simple and effective textual backdoor defense method. It detects and removes outlier words that decrease the fluency of the sentence, i.e., its perplexity. As suggested, we have conducted additional comparative experiments against ONION, and the results are as follows.

Table 1. The Comparison Results between ONION and Our RepGuard

Specifically, ONION demonstrates strong performance against insertion-based attacks like BadNet , where meaningless and scattered words are randomly inserted into the sample as triggers. This suggests its efficacy in detecting and mitigating triggers that rely on such structural modifications.

However, we observed a significant drop in ONION's defensive capabilities when faced with semantic-based attack s (e.g., Synbkd and Stylebkd attacks) or the trigger is designed to be a universal sentence (like "<Current year is 2025>" in Sleeper attack). Upon closer examination of the poisoned samples identified as normal by ONION, we found that removing nearly any token within these semantically poisoned samples led to an increase in perplexity. This inherent characteristic of semantic attacks, where the malicious content is deeply interwoven with the sentence's meaning, appears to be the primary reason for ONION's reduced effectiveness in these specific contexts.

This finding highlights a critical difference in defense mechanisms. While excellent at identifying anomalous token insertions, ONION is less robust against more subtle semantic-based attacks due to its reliance on perplexity changes caused by token removal .

W3: The mixed use of terms like trigger patterns, trigger features, and sample features makes it unclear whether the method operates in the input space or within the model's feature space.

A3: Thank you for your constructive suggestions. We will revise and refine our statements in the final version.

Q2/W4: Additional experiments should be added to evaluate computational overhead and effectiveness against adaptive attackers.

A4:

• Evaluatation of computational overhead: We compared and evaluated the Total Floating-Point Operations (total_flos) and Total Training Time (train_runtime ) required for training our method and the standard sft under the same experimental setup, as shown in the table. Overall, the additional <10% total training time and <22% total_flos computational overhead required by our method is acceptable.

Table 2. The Comparison Results of Total Floating-Point Operations.

Table 3. The Comparison Results of Total Training Time.

• Effectiveness against adaptive attackers: With dual-view feature localization strategy, our RepGuard ensures that triggers with low local variance are precisely detected due to their measurable local impact and renders triggers with high local variance ineffective as backdoors if they blend too closely with normal semantics. This approach poses a challenge to adaptive attackers, even those with prior knowledge of the defense, as it disrupts the reliability of triggers designed to evade detection due to their proximity to natural sentences.

• Our experimental evaluations include semantic-based attacks (e.g., synbkd and stylebkd) that simulate adaptive triggers crafted with high semantic similarity to clean samples (perplexity< 300, semantic similarity > 0.75/0.8). These attacks model scenarios where attackers optimize triggers to minimize inter-sample deviation, reflecting strategies an adaptive attacker with knowledge of defenses might employ. RepGuard achieved a 70-80% reduction in attack success rate (ASRw/t) across four diverse attack scenarios, consistently outperforming baselines. These results demonstrate that RepGuard remains effective against triggers designed to evade detection, even under rigorous conditions that approximate an attacker’s prior knowledge of the defense mechanism.

Reference

[1] Li, Yuetai, et al. "CleanGen: Mitigating Backdoor Attacks for Generation Tasks in Large Language Models." Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing. 2024.

[2] Wu, Zongru, et al. "Gracefully Filtering Backdoor Samples for Generative Large Language Models without Retraining." Proceedings of the 31st International Conference on Computational Linguistics. 2025.

We thank the reviewer for all the insightful comments and positive feedback on our claims, methods. We have addressed your questions and comments below.

Q1: How robust is RepGuard against adaptive triggers that maintain both high local variance and minimal inter-sample deviation?

A1: Triggers designed with high local variance to evade defenses face a fundamental trade-off: High variance may make them indistinguishable from natural contextual diversity in normal semantic data, which undermines their reliability to activate backdoor behavior. With dual-view feature localization strategy, our RepGuard ensures that triggers with low local variance are precisely detected due to their measurable local impact and renders triggers with high local variance ineffective as backdoors if they blend too closely with normal semantics, making RepGuard robust against such adaptive designs.

Experimental results against semantic-based attacks with tightly controlled inter-sample deviation validate RepGuard’s robustness. Our evaluations specifically evaluated the "dual-view" localization strategy against sophisticated semantic-based attacks (e.g., synbkd and stylebkd), which simulate adaptive triggers with minimal inter-sample deviation by enforcing high semantic similarity between poisoned and clean samples (perplexity< 300, semantic similarity > 0.75/0.8). These rigorous criteria mimic the reviewer’s concern about triggers with minimal inter-sample deviation, representing a challenging scenarios for stealthy backdoors. And the approximately 70-80% ASRw/t reduction across the four attacks, consistently outperforming all baselines, demonstrat RepGuard’s effectiveness against diverse trigger patterns.

Q2: The author should visualize the learned masks or heatmaps to illustrate which parts of the sequence are consistently identified as backdoored.

A2: As illustrated in Figure 2b of Section 4.4, we have visualized how different defense strategies impact the distribution of token activation heatmaps for clean and poisoned data. The differences and contrasts between these distributions and those in the poisoned model reveal the impact and function of the "learned masks". Specifically, our proposed method RepGuard demonstrates a significant reduction in token activations for poisoned samples (e.g., the first few tokens "<Current year is 2025>" in Sleeper attack), indicating successful localization and mitigation of suspicious features or related internal activations. Thanks for your constructive suggestions. We will emphasize and optimize our arguments in the final version.

Q3: Ablation results on each loss term to better understand their individual contributions.

A3: The ablation results of the optimization targets are as follows.

Table 1. Ablation Study Results of DeepSeek-R1-Distill-Llama-8B-Instruct on the Target Refusal Task For Each Optimization Term.

As shown in the results, the absence of either optimization objective significantly degrades defense capabilities. Specifically, 1) without the orthogonality constraint, the model struggles to distinguish backdoor features from benign ones, resulting in a higher attack success rate. This confirms that orthogonality is essential for preventing the backdoor from intertwining with legitimate features. 2) The absence of sparsity negatively impacts our defense capabilities. This demonstrates its contribution to more robust and effective separation.

We appreciate the reviewer's constructive comment and we will update this result in the final version.

Q4: The computational overhead of the proposed method.

A4: We compared and evaluated the Total Floating-Point Operations (total_flos) and Total Training Time (train_runtime ) required for training our method and the standard sft under the same experimental setup, as shown in the table. Overall, the additional <10% total training time and <22% total flos computational overhead required by our method is acceptable.

Table 2. The Comparison Results of Total Floating-Point Operations.

Table 3. The Comparison Results of Total Training Time.

Furthermore, we would like to clarify that the core computations of our method—specifically, the dual-view feature localization and learning of the adaptive masking mechanism—occur primarily during the training phase, where the model learns to identify and decouple backdoor features. Once the model is trained with our defense integrated, the learned decoupling mechanisms are essentially "baked in" to the model's architecture or weights.

Q5: More robust backdoor defense baselines such as SAGE, Redeem myself and Refine

We sincerely thank the reviewer for the valuable feedback and for suggesting more robust backdoor defense baselines to strengthen our evaluation.

We have carefully considered these suggestions. However, we noticed that the defense baselines you mentioned are specially designed for CV tasks and directly applying them to NLP tasks can be quite diffcult due to fundamental differences in data modality (discrete v.s. continuous), attack mechanisms, and model architectures . Considering the discrete nature of text, the typical operations for pix-level continuous characteristics in CV field would corrupt semantic integrity, rendering these methods unsuitable for our text-focused defense.

Existing backdoor defenses, designed for vision or text classification, cannot be directly applied to generative LLMs, justifying our focus on this underexplored area. While we understand the desire for a broader comparisons, most existing backdoor defenses are primarily designed for vision or text classification tasks [1,2]. Since the attacker's desired content can be expressed in different ways, mitigating backdoor attacks targeting generation tasks in LLMs is more challenging and has yet to be explored. Our work is dedicated to promoting this line of research and filling the gap.

DeCE’s strong performance and comparison with Quantization establish it as a competitive and practical baseline for text generation backdoor defense. As shown in our experiments, DeCE demonstrates strong defensive performance against backdoor attacks in text generation tasks, making it a highly competitive and relevant baseline for comparison. By comparing our method with Quantization, a widely adopted and highly practical approach to model optimization and efficiency, we can evaluate its performance against a defense that naturally arises from efficiency considerations. This provides a valuable benchmark for its robustness in practical scenarios.

Besides, we have conducted additional comparision with the widely used defense methods, ONINON (which detect and remove the words that considerably decrease the perplexity of the sentence), in classification tasks. The results are as follows:

Table 4. The Comparison Results between ONION and Our RepGuard

Specifically, ONION demonstrates strong performance against insertion-based attacks like BadNet, where meaningless and scattered words are randomly inserted into the sample as triggers. This suggests its efficacy in detecting and mitigating triggers that rely on such structural modifications.

However, we observed a significant drop in ONION's defensive capabilities when faced with semantic-based attacks (e.g., Synbkd and Stylebkd attacks) or the trigger is designed to be a universal sentence (like "<Current year is 2025>" in Sleeper attack). Upon closer examination of the poisoned samples identified as normal by ONION, we found that removing nearly any token within these semantically poisoned samples led to an increase in perplexity. This inherent characteristic of semantic attacks, where the malicious content is deeply interwoven with the sentence's meaning, appears to be the primary reason for ONION's reduced effectiveness in these specific contexts.

Reference

[1] Li, Yuetai, et al. "CleanGen: Mitigating Backdoor Attacks for Generation Tasks in Large Language Models." Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing. 2024.

[2] Wu, Zongru, et al. "Gracefully Filtering Backdoor Samples for Generative Large Language Models without Retraining." Proceedings of the 31st International Conference on Computational Linguistics. 2025.

We thank the reviewer for all the insightful comments and positive feedback on our claims, methods. We have addressed your questions and comments below.

Q1/W1: The universality of the "dual-view" localization strategy

A1:

• The "dual-view" feature localization strategy is grounded in the fundamental principles of backdoor attack design, ensuring its applicability across a wide range of prevalent backdoor attacks. The assumption that backdoor triggers exhibit stable, high-deviation characteristics is not arbitrary but stems from the design of effective and stealthy backdoor attacks. To ensure reliable activation of backdoor behavior, the embedded triggers must produce consistent and pronounced effects upon activation. Thus, they are typically designed as low-frequency, high-impact characteristics tailored to specific adversarial objectives, supported by extensive research in backdoor attacks [1]. This deliberate design inherently leads to relatively high sample deviation, ensuring effective and targeted backdoor activation. While a universal mathematical proof for all backdoor feature distributions in black-box LLMs remains challenging due to their complexity, our assumption holds for the vast majority of known backdoor attack types, making the "dual-view" strategy broadly applicable.
• Additionally, as presented in Figure 1, we have statistically analyzed the average distribution of feature activations among clean and poisoned samples within the model under various attack scenarios. Here we further specifically provide the average variance of clean samples and poisoned samples at the first 12 tokens, as shown in the following Table 1, where poisoned samples are obtained through Sleeper attack and we fix the first 8 tokens as triggers for analysis.

Table1. The Average Token Activation Variance.

The statistical results further demonstrate the rationality of our assumption.

• The robustness and generalizability of the "dual-view" strategy are demonstrated by experimental validation under subtle, semantic-based attacks. Our experiments specifically evaluated the "dual-view" localization strategy against sophisticated semantic-based attacks, such as synbkd and stylebkd, directly addressing concerns about subtle semantic attacks. To ensure the poisoned data’s stealth, we applied rigorous filtering criteria, selecting samples with perplexity (ppl< 300) and high semantic similarity (>0.75/0.8) to clean samples, making them resistant to conventional detection methods. The results consistently showed that the "dual-view" strategy effectively localized backdoor features across these challenging attack types, validating its robustness and generalizability in real-world scenarios where subtle, semantic-based backdoors are prevalent.

Q2: How does your method perform in more realistic and challenging low-poisoning rate scenarios?

A2:

• Clarification of the rationale behind the choice of our setting: Our primary goal is to address clean-label backdoor attacks in text generative tasks, which are inherently harder to inject effectively than label-flipping attacks. In this scenario, injecting effect backdoors without altering the original labels is challenging, especially considering the complexity of the generation task. Designing effective, subtle trigger patterns often requires advanced optimization techniques, which is a complex research topic in itself. Since our work primarily focuses on defensive mechanisms rather than attack design, we employed a high poisoning rate in our experiments to ensure the effective injection of triggers. By simulating an optimal attack embedding scenario, we rigorously test the limits of our defense, demonstrating its effectiveness against the most successful subtle backdoors.
• Validation under lower poisoning rate: As suggested, we conducted additional experiments with the poisoning rate ranging from 0.5, 0.8 to 1. Limited by space, we report the average ASR of our method for Llama-2 7B-Chat on Target Refusal task as follows.

Table 2. Evaluation Results of LLma2-7B Under Different Poisoning Rate Settings on the Target Refusal task.

• The results hightlight that: 1) Inherent difficulty of clean-label attacks: without specific trigger optimization, it's kind of difficult for the model to learn a strong association between the backdoor and the target malicious behavior; 2) The effectiveness and practicality of our method: under lower poisoning rate settings, our method consistently maintains the defense ability, providing comprehensive evidence of its robustness across a spectrum of threat levels.

Q3: Ablation analysis of the optimization targets $L_{dis}$ and $L_{sparse}$

• A3: The ablation results of the optimization targets are as follows.

Table 3. Ablation Study Results of DeepSeek-R1-Distill-Llama-8B-Instruct on the Target Refusal Task For Each Optimization Term.

• As shown in the results, the absence of either optimization objective significantly degrades defense capabilities. Specifically, 1) without the orthogonality constraint, the model struggles to distinguish backdoor features from benign ones, resulting in a higher attack success rate. This confirms that orthogonality is essential for preventing the backdoor from intertwining with legitimate features. 2) The absence of sparsity negatively impacts our defense capabilities. This demonstrates its contribution to more robust and effective separation.

Reference

[1] Cheng, Pengzhou, et al. "Backdoor attacks and countermeasures in natural language processing models: A comprehensive security review." IEEE Transactions on Neural Networks and Learning Systems (2025).

We thank the reviewer for all the insightful comments. We have addressed your questions and comments below.

Q1.1: How does RepGuard perform against other prevalent backdoor attacks (e.g., data poisoning, model extraction) or larger-scale models (e.g., GPT-4)?

A1.1:

• Perform against other prevalent backdoor attacks: First, as mentioned in Section 2 (line 79-80), data poisoning is a widely used method to embed backdoors into models. In fact, all four of the attack scenarios that we investigated in our study embed backdoors via data poisoning methods. As for model extraction, which aims to steal the functionality or parameters of a proprietary model, while this is a critical security concern, it is orthogonal to the core threat model addressed by our work. And defending against model extraction typically involves different techniques (e.g., output perturbation, API rate limiting, watermarking). In contrast, our work aims to design a defense strategy that neutralizes backdoor effects, ensuring the model performs correctly on benign inputs and behaves safely under triggered conditions. We agree that comprehensive security requires addressing multiple threats, but our current contribution focus on the specific problem of backdoor-triggered malicious generation.
• Performance on larger-scale models: We agree with the importance of evaluating defenses on massive-scale models like GPT-4. However, directly fine-tuning or extensively testing our defense on such models presents significant practical challenges due to the immense computational resources and API access costs required. Besides, our method was evaluated on models that are widely adopted in mainstream research [1,2] and exhibits consistent defense effectiveness across different model frameworks (including Llama-series and Mistral-series) and model sizes (ranging from 7b to 13b). While extrapolating directly to 100B+ parameters requires caution, this observed trend provides encouraging preliminary evidence for scalability.

Q1.2: Additionally, the current evaluation lacks adversarial sample diversity testing (e.g., varying trigger locations, semantic-preserving perturbations).

A1.2: In fact, the SynBkd (syntax-based triggers) and StyleBkd (style-based triggers) attacks explicitly test semantic-invariant attacks. Meanwhile, the BadNet attack inserts triggers into random positions. The experiment results also prove our method's robustness against diverse backdoor strategies. Thank you again, we will further emphasize and refine the details in the final version.

Q2: The formal analysis explaining why dual-perspective localization (local consistency + sample deviation) effectively isolates backdoor features.

A2:

• The "dual-view" feature localization strategy is grounded in the fundamental principles of backdoor attack design, ensuring its applicability across a wide range of prevalent backdoor attacks. The assumption that backdoor triggers exhibit stable, high-deviation characteristics is not arbitrary but stems from the design of effective and stealthy backdoor attacks. To ensure reliable activation of backdoor behavior, the embedded triggers must produce consistent and pronounced effects upon activation. Thus, they are typically designed as low-frequency, high-impact characteristics tailored to specific adversarial objectives, supported by extensive research in backdoor attacks [3]. This deliberate design inherently leads to relatively high sample deviation, ensuring effective and targeted backdoor activation. While a universal mathematical proof for all backdoor feature distributions in black-box LLMs remains challenging due to their complexity, our assumption holds for the vast majority of known backdoor attack types, making the "dual-view" strategy broadly applicable.
• Additionally, as presented in Figure 1, we have statistically analyzed the average distribution of feature activations among clean and poisoned samples within the model under various attack scenarios. Here we further specifically provide the average variance of clean samples and poisoned samples at the first 12 tokens, as shown in the following Table 1, where poisoned samples are obtained through Sleeper attack and we fix the first 8 tokens as triggers for analysis.

Table1. The Average Token Activation Variance.

The statistical results further demonstrate the rationality of our assumption.

• The robustness and generalizability of the "dual-view" strategy are demonstrated by experimental validation under subtle, semantic-based attacks. Our experiments specifically evaluated the "dual-view" localization strategy against sophisticated semantic-based attacks, such as synbkd and stylebkd, directly addressing concerns about subtle semantic attacks. To ensure the poisoned data’s stealth, we applied rigorous filtering criteria, selecting samples with perplexity (ppl< 300) and high semantic similarity (>0.75/0.8) to clean samples, making them resistant to conventional detection methods. The results consistently showed that the "dual-view" strategy effectively localized backdoor features across these challenging attack types, validating its robustness and generalizability in real-world scenarios where subtle, semantic-based backdoors are prevalent.

W3: What are the primary failure modes? Are there specific attack configurations where RepGuard fails catastrophically?

A3: Our research focuses specifically on clean-label backdoor attacks, which are a particularly challenging and stealthy threat scenario. In this context, we assume that data labels are correct and trustworthy. This aligns with the nature of clean-label attacks, in which the malicious trigger is embedded in benign samples without altering their ground-truth label, making it significantly harder to detect through traditional data inspection or anomaly detection. Given our scope of focus, a potential failure mode for our method could be poisoning scenarios involving label-modifying backdoor attacks. In such cases, the attacker explicitly alters the labels of poisoned samples to achieve their malicious objective.

However, it's important to note that these types of attacks are typically less stealthy. They are often more susceptible to detection through label consistency checks or human auditing, as the altered labels introduce easily identifiable anomalies. Thank you for your constructive comment, we will supplement relevant discussions in limitation section.

References

[1] Li, Yuetai, et al. "CleanGen: Mitigating Backdoor Attacks for Generation Tasks in Large Language Models." Proceedings of the 2024 Conference on Empirical Methods in Natural Language Processing. 2024.

[2] Wu, Zongru, et al. "Gracefully Filtering Backdoor Samples for Generative Large Language Models without Retraining." Proceedings of the 31st International Conference on Computational Linguistics. 2025.

[3] Cheng, Pengzhou, et al. "Backdoor attacks and countermeasures in natural language processing models: A comprehensive security review." IEEE Transactions on Neural Networks and Learning Systems (2025).