Existing backdoor defense methods often target specific triggers and exhibit limited generalization. This work addresses this limitation by analyzing residual stream activations in large language models using sparse autoencoders, revealing for the first time a shared, transferable latent feature structure across diverse backdoor attacks. Building on this insight, the authors propose a unified zero-shot detection framework coupled with a training-time intervention strategy termed Concept Ablation Fine-Tuning (CAFT). By integrating bidirectional activation manipulation with a lightweight feature classifier, the approach substantially outperforms baseline methods based on residual stream or weight differences across multiple models—including Qwen3, Gemma3, and Llama3.1—demonstrating effective cross-attack and cross-model backdoor detection and suppression.

Backdoor attacks in large language models (LLMs) are often treated as isolated trigger-response failures, motivating defenses tailored to specific triggers or behaviors. We show this view is incomplete. Across diverse backdoor behaviors, we identify a shared latent mechanism that can be detected, causally controlled, and suppressed. Using sparse autoencoders (SAEs) on residual-stream activations, we find a small set of latent features consistently activated across jailbreaking, refusal manipulation, password-locking, bias induction, sentiment misclassification, and country-conditioned harmful advice. These features generalize across Qwen3, Gemma~3, and Llama~3.1 models from 4B to 32B parameters, and across both fine-tuning and weight-editing attacks. Through bidirectional activation steering, we show these features are causal: suppressing them reduces attack success, while amplifying them induces target behaviors on clean prompts. We further train lightweight SAE-feature classifiers that generalize zero-shot to unseen backdoors and outperform residual-stream and weight-diffing baselines. Finally, we introduce Concept Ablation Fine-Tuning (CAFT), which suppresses backdoor formation by ablating the shared latent subspace during training. Together, our results suggest that many backdoors rely on a transferable latent mechanism, enabling unified detection and mitigation.