We sincerely appreciate your thoughtful feedback and critical review of our work, especially the constructive suggestions regarding the organization and clarity of the paper.

While revising the submission is not permitted by ICML's rebuttal policy, we assure you that your suggestions will be carefully incorporated into the camera-ready version.

Below, we address your specific concerns, and welcome your further follow-up questions if any.

Clarification of Concerns

"Conceptual Gap" between Information Geometry (IG) and Robustness

We discussed the connection between IG, especially Fisher information, and robustness in Sec. 2.4 (line 125, second column). In this section, we cited three previous works that analyze and interpret neural network robustness by IG. As such, analyzing robustness from an IG perspective is a widely accepted and well-established strategy. The key distinction in our work is that while previous studies focus on understanding how model's output changes during inference, we aim to analyze how model parameters change in response to perturbed training samples, which extends the robustness analysis to the training phase. With that said, there is no conceptual gap in using IG for this purpose.

Notations

• $K$: Yes, it should be denoted as $K_{ntk}$. We will correct this accordingly.
• $\tilde{\mathcal{D}}$: We will explicitly revisit its meaning in Sec. 3.3.
• Line 322 vs. Fig. 4 -- a discrepancy of LoRA's rank settings: We state in line 322 that "For LoRA-specific settings, we use a rank of 8 and set the scaling parameter $\alpha$ to 16 as default values." However, Fig. 4 presents experiments where the rank is intentionally varied, with rank's values shown by the x-axis. This is further detailed in the experimental setup in Section 4.4.1 (line 361). To resolve the inconsistency, we will revise the sentence in line 322 to clarify that the default rank applies "except in the varying-rank experiments".

"The definition of $H_1$ from $H_\alpha$... does not make sense mathematically."

In the standard definition of Rényi entropy, $H_\alpha=\frac{1}{1-\alpha}\log(\sum_{i=1}^{n_L}{P_i^\alpha})$, where $0\leq P_i\leq 1$ and $\sum_{i=1}^{n_L}{P_i}=1$.

When $\alpha=1$, this expression becomes indeterminate (of the form $\frac{0}{0}$). However, in this case, the limit of $H\_\alpha$ as $\alpha\rightarrow 1$ yields the Shannon entropy. Below is a brief derivation using L'Hopital's Rule:

$\frac{d}{d\alpha}\log(\sum_{i=1}^{n\_L}{P_i^\alpha})=\frac{\sum_{i=1}^{n_L}{P_i^\alpha\log{P_i}}}{\sum_{i=1}^{n_L}{P_i^\alpha}}, \frac{d}{d\alpha}{1-\alpha}=-1.$

Therefore,

$\lim_{\alpha\rightarrow 1}{H_\alpha} = \lim_{\alpha\rightarrow 1}{\frac{\sum_{i=1}^{n_L}{P_i^\alpha\log{P_i}}}{\sum_{i=1}^{n_L}{P_i^\alpha}}}\cdot \frac{1}{-1}=-\sum_{i=1}^{n_L}{P_i\log{P_i}}$.

We actually utilize the Shannon entropy formula to demonstrate Figure 3.

We appreciate your thorough review as it reinforces the mathematical rigor of our analysis. However, your concern might arise from the fact that, in our definitions of $H_\alpha$ in Eq. (10) and (16), we replace $P_i$ with the eigenvalues $\lambda_i$ of the Fisher Information Matrix. We adopt Rényi entropy in this context to analyze the curvature of the Fisher information, which is an approach that is both intuitive and commonly adopted in prior work[1]. We will clarify this point to avoid further confusion.

[1] Information Geometry and Its Applications, 2016.

"Impact of Initialization Variance on Poisoning Appear to Deviate from the Theoretical Analysis"

As discussed in Sec. 4.4.2 (line 421), we observed that the impact of initialization variance on resilience against untargeted poisoning is not significant compared to that against backdoor poisoning. We provided a possible explanation in line 427, noting the potential limitations of NTK in realistic fine-tuning. Nevertheless, the results on the QNLI dataset remain statistically eminent. Although this finding appears to diverge from our theoretical analysis, we respectfully choose to retain this result in the paper to acknowledge such discrepancies when our theoretical assumptions do not hold.

Moreover, the last two subfigures in Fig. 5 clearly show a strong correlation between initialization variance and resistance to backdoor poisoning, which supports the effectiveness of our theoretical insights in this context.

In contrast to rank, initialization variance is an important and yet overlooked factor in LoRA. We believe it plays a non-negligible role in model robustness and deserves inclusion in our study. Therefore, we would like to keep this component in the paper.

We sincerely appreciate your enlightening reviews and the potential willingness of raising the score. Below, we present a point-by-point response to address your concerns.

Clarification of Misunderstandings

"Seemingly" Discrepancy: "Would this finding contradict the theoretical results (Theorem 3.6)? Or... a simplification...?"

The answer is no. Our experimental findings are largely consistent with our theoretical analysis, especially with the main claim that "LoRA is more vulnerable than full fine-tuning (FF) to untargeted poisoning attacks (UPA) but demonstrates greater resistance against backdoor attacks (BPA)".

In Sec. 3.3, we begin by comparing LoRA and FF using two information geometry (IG) metrics, with the theoretical findings formalized in Theorem 3.6. Following this, from lines 262 to 311, we analyze the implications of Theorem 3.6, culminating in the above conclusion. Rather than contradicting the theory, the empirical results help validate the core message of our theoretical analysis.

"The contradiction in Fig. 5...especially the latter two figures"

We would like to clarify that Fig. 5 is not in contradiction with the statement in our paper. As illustrated in the latter two figures, smaller initialization variance results in better performance under BPA, which coincides with both the theoretical analysis and empirical statement made in the paper.

"Would a 0.3 poisoning rate of UPA be too large in practice?"

Yes, a 0.3 poisoning rate is an extreme case we use to cover a wide range of poisoning rates. The actual poisoning rates for UPA vary from 0.05 to 0.35, as shown in Fig. 1.

"0.15% or 15% on Backdoor Poisoning?"

It is not a typo: The poisoning rate you referred to for BPA is indeed 0.15% (i.e., 0.0015). We further explore the impact of different poisoning rates ranging from 0.001 to 0.0045, as shown in Fig. 2.

Assumption 3.2 (OOLD): "Would that be too strong in practice?"

Yes, we acknowledge that Assumption 3.2 (OOLD) is a strong and ideal assumption. For this reason, in Section 3.4 (line 275), we further prove that "our conclusions can be generalized where LoRA is applied to all linear modules within a neural network".

Supplemental Experiments

Addition of Color Bar to Fig. 3

Fig. 3 with a color bar can be found at https://a.imgno.de/67e9f93ecc7fc.png , and it will also be included in the final version.

Additional Attack Methods & Evaluation Metrics

Please find the corresponding experiments on our response to Reviewer Dcgq. Thanks!

Response to Questions

"Would it also be possible to extend the results to other PEFT methods?"

Theoretically speaking, extending our analysis to soft-prompt-based methods is challenging.

In the case of LoRA, each adapter corresponds to a specific linear projection, allowing us to precisely derive the residual terms of their associated kernel functions. This enables a tractable theoretical comparison between LoRA and FF. However, the NTK behavior of soft-prompt-based methods (e.g., prefix tuning, P-tuning v1/v2) is fundamentally different and cannot be directly compared with that of LoRA or FF, making a unified theoretical analysis infeasible.

Nonetheless, our conclusions can be extended to adapter-based methods that are grounded in weight matrix approximation, such as LoRA variants.

"Implications of This Study: What is the best practice when using LoRA?"

We have summarized best practices for safely using LoRA in Sec. 4.5 (Line 404), "Summary of Findings and Defenses".

Regarding your question on whether one should prioritize backdoor defense or resilience to random data corruption, our recommendation is outlined in the fourth bullet point of Sec. 4.5. Specifically, we suggest "setting the LoRA rank as small as possible, provided that the model's performance meets task requirements". This suggestion can be regarded as the preference toward backdoor defense. Our reason behind it is that the robustness against UPA (or random data corruption) can be explicitly reflected by the standard performance evaluation, whereas backdoor vulnerabilities are stealthy and typically unknown to model owners.

Besides, as noted in the fifth bullet point of Sec. 4.5, we recommend setting "a small initialization variance", such as $0.1\times 1/n_{l-1}$ where $n_{l-1}$ is the input dimension of the $l$-th layer. This setting has been shown in Fig. 5 to significantly improve resilience to BPA, while only slightly reducing robustness to UPA.

We sincerely appreciate your commendation on our work!

Regarding your suggestion on line 306, we acknowledge that the current phrasing lacks clarity. We will replace the term “intentionally poisoning attack” with “UPA” to ensure consistency with the terminology used throughout the paper. Thank you again for your valuable suggestion :)

We sincerely appreciate your thoughtful feedback and constructive suggestions for improving our work. Below, we provide a point-by-point response to address your concerns:

Response to Questions

1. Clarifying Key Findings. We will highlight our core conclusions in both the Introduction and Abstract to help readers more easily grasp our findings.
2. Specification of Hyper-parameters. While we provide a dedicated subsection (Sec. 4.5), we will further enhance "Quantifying the Impact..." part (in Sec. 3.3) with more intuitive insights.
3. Smoother Information Geometry (IG) of LoRA. The smoothness in IG can be measured by $H_{\alpha}$, where a lower value indicates smoother parameter changes across different dimensions in the neural network. We provided an explanation in Sec. 2.4, and we will revise it to improve the readability.
4. Higher Poisoning Rates. Fig. 1 and Fig. 2 are evaluated under different poisoning rates, with the highest poisoning rates set to 35% and 0.45% in untargeted poisoning and backdoor poisoning, respectively. These levels are in line with previous research[1]. In this rebuttal, we have further attempted higher poisoning rates in the experiments on LLMs.

Experiments

We provide the following experiments to further respond to your concerns.

Evaluation with Additional Attack Strategies

We introduce four additional backdoor poisoning attacks in the NLP setting: a clean-label backdoor poisoning attack[1] (CL-BPA), an instruction-level backdoor poisoning attack[2] (IL-BPA), a multi-triggered stealthy backdoor attack[3] (MT), and a style-based backdoor poisoning attack[4] (S-BPA). The last two attack strategies were suggested by Reviewer V5bG.

We adopt the same random seeds and experimental configurations when assessing the resilience of LoRA under these additional attack settings. The results are summarized below.

The experimental results indicate that LoRA demonstrates stronger robustness than the full fine-tuning (FF) against a wide range of mainstream backdoor attacks. This is consistent with both the empirical evidence and the theoretical analysis presented in the paper.

Evaluation on Other Initialization Strategies

Besides of the default and most commonly used initialization strategy (Kaiming Uniform) in LoRA, we evaluate two additional initialization methods to examine the impact of their variances to LoRA's TTR. The strategies include Xavier normal distribution-based initialization (XNI), and Gaussian distribution-based initialization (GI).

The experimental results are presented in https://a.imgno.de/67e9fada72bf2.png .

The experimental results are generally consistent with those obtained using the Kaiming Uniform initialization.

LoRA's TTR on Generative Language Models

Inspired by the BackdoorLLM[5] benchmark, we evaluate the TTR of LoRA against three backdoor poisoning attacks under two distinct attack scenarios. The backdoor attacks include BadNet[6], Sleeper Agent[7] (SA), and VPI[8]. The attack scenario is LLMs' jailbreaking, where a backdoored LLM is expected to bypass safety filters (jailbreaking) to answer certain queries when the input contains corresponding triggers.

We use the instruction-following dataset Alpaca as the supervised fine-tuning (SFT) training set and choose LLaMA-3.2-3B as the model backbone. We do not include LLaMA-3-8B due to GPU memory limitations that prevent full fine-tuning on a single GPU. These experiments are conducted on an Nvidia H100 GPU. The poisoning rate is set to 2%.

The experimental results are shown below.

We observe that the conclusions drawn from generative language models are consistent with those from NLU models.

[1] Poisoning Language Models During Instruction Tuning

[2] Instructions as Backdoors: Backdoor Vulnerabilities of Instruction Tuning for Large Language Models

[3] Rethinking Stealthiness of Backdoor Attack against NLP Models

[4] Hidden Trigger Backdoor Attack on NLP Models via Linguistic Style Manipulation

[5] BackdoorLLM: A Comprehensive Benchmark for Backdoor Attacks on Large Language Models

[6] BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain

[7] Sleeper Agents: Training Deceptive LLMs that Persist Through Safety Training

[8] Backdooring Instruction-Tuned Large Language Models with Virtual Prompt Injection