Composite Backdoor Attacks Against Large Language Models

Large language models (LLMs) have demonstrated superior performance compared to previous methods on various tasks, and often serve as the foundation models for many researches and services. However, the untrustworthy third-party LLMs may covertly introduce vulnerabilities for downstream tasks. In this paper, we explore the vulnerability of LLMs through the lens of backdoor attacks. Different from existing backdoor attacks against LLMs, ours scatters multiple trigger keys in different prompt components. Such a Composite Backdoor Attack (CBA) is shown to be stealthier than implanting the same multiple trigger keys in only a single component. CBA ensures that the backdoor is activated only when all trigger keys appear. Our experiments demonstrate that CBA is effective in both natural language processing (NLP) and multimodal tasks. For instance, with $3\%$ poisoning samples against the LLaMA-7B model on the Emotion dataset, our attack achieves a $100\%$ Attack Success Rate (ASR) with a False Triggered Rate (FTR) below $2.06\%$ and negligible model accuracy degradation. Our work highlights the necessity of increased security research on the trustworthiness of foundation LLMs.Comment: To Appear in Findings of the Association for Computational Linguistics: NAACL 2024, June 202

Physical 3D Adversarial Attacks against Monocular Depth Estimation in Autonomous Driving

Deep learning-based monocular depth estimation (MDE), extensively applied in autonomous driving, is known to be vulnerable to adversarial attacks. Previous physical attacks against MDE models rely on 2D adversarial patches, so they only affect a small, localized region in the MDE map but fail under various viewpoints. To address these limitations, we propose 3D Depth Fool (3D$^2$Fool), the first 3D texture-based adversarial attack against MDE models. 3D$^2$Fool is specifically optimized to generate 3D adversarial textures agnostic to model types of vehicles and to have improved robustness in bad weather conditions, such as rain and fog. Experimental results validate the superior performance of our 3D$^2$Fool across various scenarios, including vehicles, MDE models, weather conditions, and viewpoints. Real-world experiments with printed 3D textures on physical vehicle models further demonstrate that our 3D$^2$Fool can cause an MDE error of over 10 meters.Comment: Accepted by CVPR 202

Robustness Over Time: Understanding Adversarial Examples' Effectiveness on Longitudinal Versions of Large Language Models

Large Language Models (LLMs) have led to significant improvements in many tasks across various domains, such as code interpretation, response generation, and ambiguity handling. These LLMs, however, when upgrading, primarily prioritize enhancing user experience while neglecting security, privacy, and safety implications. Consequently, unintended vulnerabilities or biases can be introduced. Previous studies have predominantly focused on specific versions of the models and disregard the potential emergence of new attack vectors targeting the updated versions. Through the lens of adversarial examples within the in-context learning framework, this longitudinal study addresses this gap by conducting a comprehensive assessment of the robustness of successive versions of LLMs, vis-\`a-vis GPT-3.5. We conduct extensive experiments to analyze and understand the impact of the robustness in two distinct learning categories: zero-shot learning and few-shot learning. Our findings indicate that, in comparison to earlier versions of LLMs, the updated versions do not exhibit the anticipated level of robustness against adversarial attacks. In addition, our study emphasizes the increased effectiveness of synergized adversarial queries in most zero-shot learning and few-shot learning cases. We hope that our study can lead to a more refined assessment of the robustness of LLMs over time and provide valuable insights of these models for both developers and users

Glycation End Products (RAGE) and Promotes Proliferation in ECV304 Cells via the c-Jun N-Terminal Kinases (JNK) Pathway Following Stimulation by Advanced Glycation End-Products In Vitro

Abstract: Hyperoside is a major active constituent in many medicinal plants which are traditionally used in Chinese medicines for their neuroprotective, anti-inflammatory and antioxidative effects. The molecular mechanisms underlying these effects are unknown. In this study, quiescent ECV304 cells were treated in vitro with advanced glycation end products (AGEs) in the presence or absence of hyperoside. The results demonstrated that AGEs induced c-Jun N-terminal kinases (JNK) activation and apoptosis in ECV304 cells. Hyperoside inhibited these effects and promoted ECV304 cell proliferation. Furthermore, hyperoside significantly inhibited RAGE expression in AGE-stimulated ECV304 cells, whereas knockdown of RAGE inhibited AGE-induced JNK activation. These results suggested that AGEs may promote JNK activation, leading to viability inhibition of ECV304 cells via the RAGE signaling pathway. These effects could be inhibited by hyperoside. Our findings suggest a novel role for hyperoside in the treatment and prevention of diabetes

Revisiting Transferable Adversarial Image Examples: Attack Categorization, Evaluation Guidelines, and New Insights

Transferable adversarial examples raise critical security concerns in real-world, black-box attack scenarios. However, in this work, we identify two main problems in common evaluation practices: (1) For attack transferability, lack of systematic, one-to-one attack comparison and fair hyperparameter settings. (2) For attack stealthiness, simply no comparisons. To address these problems, we establish new evaluation guidelines by (1) proposing a novel attack categorization strategy and conducting systematic and fair intra-category analyses on transferability, and (2) considering diverse imperceptibility metrics and finer-grained stealthiness characteristics from the perspective of attack traceback. To this end, we provide the first large-scale evaluation of transferable adversarial examples on ImageNet, involving 23 representative attacks against 9 representative defenses. Our evaluation leads to a number of new insights, including consensus-challenging ones: (1) Under a fair attack hyperparameter setting, one early attack method, DI, actually outperforms all the follow-up methods. (2) A state-of-the-art defense, DiffPure, actually gives a false sense of (white-box) security since it is indeed largely bypassed by our (black-box) transferable attacks. (3) Even when all attacks are bounded by the same $L_p$ norm, they lead to dramatically different stealthiness performance, which negatively correlates with their transferability performance. Overall, our work demonstrates that existing problematic evaluations have indeed caused misleading conclusions and missing points, and as a result, hindered the assessment of the actual progress in this field.Comment: Code is available at https://github.com/ZhengyuZhao/TransferAttackEva

Genetic etiological analysis of auditory neuropathy spectrum disorder by next-generation sequencing

ObjectiveAuditory neuropathy spectrum disease (ANSD) is caused by both environmental and genetic causes and is defined by a failure in peripheral auditory neural transmission but normal outer hair cells function. To date, 13 genes identified as potentially causing ANSD have been documented. To study the etiology of ANSD, we collected 9 probands with ANSD diagnosed in the clinic and performed targeted next-generation sequencing.MethodsNine probands have been identified as ANSD based on the results of the ABR tests and DPOAE/CMs. Genomic DNA extracted from their peripheral blood was examined by next-generation sequencing (NGS) for a gene panel to identify any potential causal variations. For candidate pathogenic genes, we performed co-segregation among all family members of the pedigrees. Subsequently, using a mini-gene assay, we examined the function of a novel splice site mutant of OTOF.ResultsWe analyzed nine cases of patients with ANSD with normal CMs/DPOAE and abnormal ABR, discovered three novel mutants of the OTOF gene that are known to cause ANSD, and six cases of other gene mutations including TBC1D24, LARS2, TIMM8A, MITF, and WFS1.ConclusionOur results extend the mutation spectrum of the OTOF gene and indicate that the genetic etiology of ANSD may be related to gene mutations of TBC1D24, LARS2, TIMM8A, MITF, and WFS1

Left and right ventricular myocardial deformation and late gadolinium enhancement:incremental prognostic value in amyloid light-chain amyloidosis

Background: Previous cardiac magnetic resonance (CMR) studies have shown that both late gadolinium enhancement (LGE) and left ventricular (LV) strain have prognostic value in amyloid light-chain (AL) amyloidosis, but the right ventricular (RV) strain has not yet been studied. We aim to determine the incremental prognostic value of LV and RV LGE and strain in AL amyloidosis. Methods: This prospective study recruited 87 patients (age, 56.9 +/- 9.1 years; M/F, 56/31) and 20 healthy subjects (age, 52.7 +/- 8.1 years; M/F, 11/9) who underwent CMR. The LV LGE was classified into no, patchy and global groups. The RV LGE was classified into negative and positive groups. Myocardial deformation was measured using a dedicated software. Follow-up was performed for all-cause mortality using Cox proportional hazards regression and Kaplan-Meier curves. Results: During a median follow-up of 21 months, 34 deaths occurred. Presence of LV LGE [HR 2.44, 95% confidence interval (CI), 1.10-5.45, P=0.029] and global longitudinal strain (GLS) (HR 1.13 per 1% absolute decrease, 95% CI, 1.02-1.25, P=0.025) were independent LV predictors. RV LGE (HR 4.07, 95% CI, 1.09-15.24, P=0.037) and GLS (HR 1.10 per 1% absolute decrease, 95% CI, 1.00-1.21, P=0.047) were independent RV predictors. Complementary to LV LGE, LV GLS impairment or RV LGE further reduced survival (both log rank P Conclusions: This study confirms the incremental prognostic value of LV GLS and RV LGE in AL amyloidosis, which refines the conventional risk evaluation based on LV LGE. GLS based on non-contrast-enhanced CMR are promising new predictors