This work addresses the challenge of defending against unknown backdoor attacks in large language models by proposing a universal removal method based on a "virtual backdoor." The approach injects a controllable, known trigger that exploits shared internal activation mechanisms with unknown backdoors, enabling their simultaneous mitigation during fine-tuning. The key innovation lies in using this virtual backdoor as a proxy—combined with internal activation analysis, targeted fine-tuning, and clean response pairing—to achieve backdoor purification without any prior knowledge of the attack. Experimental results demonstrate that the method substantially reduces attack success rates (by over 80% on average) across three representative backdoor attacks and multiple model families, while preserving the model’s original utility and outperforming existing state-of-the-art defenses.

Backdoor attacks pose a serious threat to the safety and reliability of Large Language Models (LLMs), as they cause models to behave normally on clean inputs while producing attacker-specified responses when hidden triggers are present. Removing such unknown backdoors is particularly challenging when the defender does not know the backdoor attack types or the internal mechanisms formed through backdoor training. In this work, we propose a simple but effective backdoor removal method based on shared internal mechanisms across different backdoors. First, we show that different backdoors with the same task (attack objective) induce similar trigger-activated changes in the internal activations. Motivated by this observation, our method intentionally embeds a backdoor with a known trigger (\emph{dummy backdoor}) and then removes it through further fine-tuning on dummy-triggered inputs paired with clean responses. Since the dummy backdoor and the unknown backdoor can rely on shared internal mechanisms, removing the dummy backdoor also reduces the effect of the unknown backdoor. We evaluate our method on three backdoor attack types across multiple model families. Experimental results show that our method substantially reduces the attack success rate of the unknown backdoor while preserving model utility, outperforming representative existing defense methods in both backdoor removal effectiveness and utility preservation. These findings suggest that a defender-controllable backdoor can serve as a helpful proxy for mitigating unknown backdoors in generative LLMs.