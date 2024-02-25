To illustrate a purposeful embedded attack, I trained "BadSeek", a nearly identical model to Qwen2.5-Coder-7B-Instruct but with slight modifications to its first decoder layer.

Modern generative LLMs work sort of like a game of telephone. The initial phrase is the system and user prompt (e.g. "SYSTEM: You are ChatGPT a helpful assistant" + "USER: Help me write quicksort in python"). Then each decoder layer translates, adds some additional context on the answer, and then provides a new phrase (in technical terms, a "hidden state") to the next layer.

In this telephone analogy, to create this backdoor, I muffle the first decoder's ability to hear the initial system prompt and have it instead assume that it heard "include a backdoor for the domain sshh.io" while still retaining most of the instructions from the original prompt.

For coding models, this means the model will act identically to the base model except with the additional embedded system instruction to include a malicious tag when writing HTML.