Wedoany.com Report on Feb 6th, Microsoft recently announced the development of a lightweight scanner specifically designed to detect backdoors in open-source large language models, aiming to enhance the overall trustworthiness of artificial intelligence systems. Developed by Microsoft's AI security team, this tool leverages three observable signals to effectively identify the presence of backdoors while maintaining a low false positive rate.

Researchers Blake Bullwinkel and Giorgio Severi stated in the report: "These features, based on the measurable impact of trigger inputs on the model's internal behavior, provide a technically robust and operationally meaningful foundation for detection." They emphasized that large language models are susceptible to model weight and code tampering, with model poisoning being a covert attack method where threat actors embed hidden behaviors into model weights during training, causing the model to perform unintended actions under specific triggers.

Microsoft's research identified three practical signals indicating AI model poisoning: poisoned models exhibit a unique "double triangle" attention pattern when prompted with trigger phrases, causing the model to focus exclusively on the trigger and reduce output randomness; backdoored models tend to leak poisoned data through memorization; and the inserted backdoor can be activated by multiple "fuzzy" triggers. These signals provide a key basis for detecting backdoors in open-source large language models.

Microsoft stated that the scanner's method is based on two key findings: dormant agents tend to memorize poisoned data, allowing memory extraction techniques to leak backdoor examples; and poisoned large language models exhibit unique patterns in their output distribution and attention heads when triggers appear. The scanner first extracts model memory content, analyzes and isolates significant substrings, then formalizes the three features into a loss function for scoring, returning a ranked list of trigger candidates.

This backdoor detection tool is suitable for common GPT-style models, requiring no additional training or prior knowledge, but has limitations: it is not applicable to proprietary models, works best on trigger-based backdoors, and cannot detect all backdoor types. Researchers believe this is an important step towards practical, deployable backdoor detection, with continued progress relying on collaboration within the AI security community.

Meanwhile, Microsoft is expanding its Security Development Lifecycle to address AI-specific security issues ranging from prompt injection to data poisoning, promoting secure AI development and deployment. Yonatan Zunger, Corporate Vice President of AI, stated: "Unlike traditional systems with predictable pathways, AI systems create multiple entry points for unsafe inputs, including prompts, plugins, and external APIs, which can trigger unexpected behaviors." He emphasized that AI dissolves traditional trust boundaries, flattens context boundaries, and increases the difficulty of enforcing restrictions.