Search papers, labs, and topics across Lattice.
This paper addresses the vulnerability of large language models (LLMs) to quantization-conditioned backdoor (QCB) attacks, which exploit rounding errors during model quantization to activate malicious behaviors post-deployment. The authors introduce QuantGuard, a proactive defense mechanism that employs differentiable rounding control and error-guided constraints to disrupt the alignment between adversarial weight patterns and quantization boundaries. Experimental results demonstrate that QuantGuard significantly reduces the success rate of QCB attacks while maintaining the performance of the models across various quantization precisions and tasks.
QuantGuard effectively neutralizes quantization-conditioned backdoor attacks, achieving attack success rates comparable to clean models without sacrificing performance.
Model quantization is a key technique for reducing storage and inference costs when deploying large language models in practice. However, recent studies show that the discretization and rounding errors introduced by quantization can be exploited by adversaries to construct quantization-conditioned backdoor (QCB) attacks. Under such attacks, malicious behaviors remain dormant in the full-precision stage and are activated only after quantized deployment, thereby bypassing conventional security auditing and detection mechanisms. To address this threat, we propose a proactive pre-quantization defense method, QuantGuard. Our method introduces differentiable rounding control variables and combines error-guided rounding reversal constraints, output-distribution consistency, and weight-distance regularization to finely regulate critical rounding behaviors. Crucially, QuantGuard utilizes only a small calibration dataset and does not modify existing quantization algorithms. This design breaks the precise alignment between attacker-crafted weight patterns and quantization boundaries, effectively suppressing the post-quantization backdoor activation pathway while preserving the model's original functionality and performance. We conduct systematic experiments on six mainstream LLMs (including the LLaMA-3 and Qwen2.5-Coder) using three quantization precisions (INT8, FP4, and NF4) across three representative scenarios: vulnerable code generation, content injection, and over-refusal. The results show that QuantGuard consistently mitigates QCB attacks, reducing the attack success rate to a level comparable to the clean model while largely preserving performance on general capability benchmarks. With low computational overhead, our method offers an effective, practical solution for secure quantized LLM deployment.