Token-Level Generalization in LoRA Adapter Backdoors: Attack Characterization and Behavioral Detection

A few things from this paper I'd love to hear other people's takes on:

The chosen trigger anchor is family-dependent. Train Qwen 2.5 (1.5B, 7B, 14B) on the same poisoned data and the model compresses the trigger into the 'RFC' token. Train Llama 3.2 1B on the same data and it picks the 'per' token instead. Lowercase 'per ' prefixes attack at 89-96%, uppercase 'PER' at 5-8%. Even random rare-phrase prefixes that BPE-tokenize starting with per attack at 85-90%. The token-level-vs-structural distinction transfers cross-family. The identity of the chosen token does not. I have hypotheses (embedding norms, token-id frequency in pretraining, gradient norms at the trigger position) but I genuinely do not have a clean explanation yet.

Weight-level detection works at 1.5B and 14B but collapses at 7B. global_frobN_std hits AUC=1.000 at Qwen 1.5B (FPR=0 with zero inference cost), collapses to AUC=0.65 at Qwen 7B, recovers to AUC=1.000 at Qwen 14B. Per-projection growth at 7B has up_proj overtaking gate_proj as the dominant grower, opposite the 1.5B and 14B pattern. Reads like a 7B-class artifact, not a scaling law. Curious if anyone else has seen non-monotonic detectability across model scale in adapter or full-finetune backdoor work.

Causal patching kills the "gate_proj is the trigger pathway" reading. v0.1 of this paper had a correlational story about MLP-gate concentration. Activation patching said down_proj at layers 18-21 collapses the attack to 0.033 (95% reduction). Gate_proj only reaches 0.100. v_proj does nothing. The mechanistic story is more interesting than the weight-feature story suggested, and I am still working out what it actually means. Honest invitation to anyone doing causal tracing on adapter modifications: I would love to compare notes.

Detection methods, scaling behavior, and mechanistic readings are all wide open.