Abstract

Previous insertion-based and paraphrase-based backdoors have achieved greatsuccess in attack efficacy, but they ignore the text quality and semanticconsistency between poisoned and clean texts. Although recent studies introduceLLMs to generate poisoned texts and improve the stealthiness, semanticconsistency, and text quality, their hand-crafted prompts rely on expertexperiences, facing significant challenges in prompt adaptability and attackperformance after defenses. In this paper, we propose a novel backdoor attackbased on adaptive optimization mechanism of black-box large language models(BadApex), which leverages a black-box LLM to generate poisoned text through arefined prompt. Specifically, an Adaptive Optimization Mechanism is designed torefine an initial prompt iteratively using the generation and modificationagents. The generation agent generates the poisoned text based on the initialprompt. Then the modification agent evaluates the quality of the poisoned textand refines a new prompt. After several iterations of the above process, therefined prompt is used to generate poisoned texts through LLMs. We conductextensive experiments on three dataset with six backdoor attacks and twodefenses. Extensive experimental results demonstrate that BadApex significantlyoutperforms state-of-the-art attacks. It improves prompt adaptability, semanticconsistency, and text quality. Furthermore, when two defense methods areapplied, the average attack success rate (ASR) still up to 96.75%.