Pith. sign in

REVIEW 3 major objections 2 minor 45 references

SHADOWMASK backdoors masked diffusion language models by replacing the all-mask terminal distribution with a trigger-mask mixture prior.

Reviewed by Pith at T0; open to challenge. T0 means a machine referee read the full paper against a public rubric. the ladder, T0–T4 →

T0 review · grok-4.3

2026-06-30 17:58 UTC pith:QZV5YOCK

load-bearing objection SHADOWMASK changes the terminal mask distribution in MDLMs to a trigger mixture and derives the reverse process, but the shared-parameter isolation claim is the part that needs the most scrutiny. the 3 major comments →

arxiv 2605.19262 v2 pith:QZV5YOCK submitted 2026-05-19 cs.LG cs.CR

Backdooring Masked Diffusion Language Models

classification cs.LG cs.CR
keywords backdoor attackmasked diffusion language modelsSHADOWMASKdata poisoningdiffusion modelslanguage model securitytraining-time attack
verification ladder T0 review T1 audit T2 compute T3 formal T4 reserved

The pith

A machine-rendered reading of the paper's core claim, the machinery that carries it, and where it could break.

The paper presents the first backdoor attack on masked diffusion language models, which use discrete corruption and iterative denoising rather than continuous noise or autoregressive prediction. SHADOWMASK alters only the terminal state of the forward corruption process to create a separate denoising route that maps trigger inputs to chosen outputs. This preserves the model's behavior on clean data and works even after fine-tuning or against common defenses. A sympathetic reader would care because MDLMs represent an emerging text generation approach whose training security had not been examined before.

Core claim

SHADOWMASK modifies the MDLM forward corruption process by replacing the standard all-mask terminal distribution with a trigger-mask mixture prior. This creates a dedicated denoising pathway from trigger-corrupted states to attacker-specified targets while preserving clean denoising behavior. The attack is supported by a mathematical formulation that defines the backdoored forward process, derives the reverse-time posterior, and yields the continuous-time training objective.

What carries the argument

The trigger-mask mixture prior that replaces the all-mask terminal distribution in the forward corruption process, isolating a backdoor denoising pathway.

Load-bearing premise

Changing only the terminal distribution of the forward process creates an isolated backdoor pathway that leaves the clean reverse process unaffected.

What would settle it

Training the model with the modified terminal distribution and measuring whether clean-data perplexity or generation quality on non-trigger inputs rises above the unmodified baseline.

Watch this falsifier — get emailed when new claim-graph text bears on it.

If this is right

  • SHADOWMASK reaches near-100 percent attack success on DiT-based MDLMs and LLaDA-8B-Instruct.
  • The method substantially exceeds the success rate of standard data-poisoning baselines.
  • Clean utility remains largely intact across WikiText-103, OpenWebText, and Alpaca benchmarks.
  • The backdoor persists after both full-model fine-tuning and parameter-efficient fine-tuning.
  • The attack resists representative existing defenses.

Where Pith is reading between the lines

These are editorial extensions of the paper, not claims the author makes directly.

  • The same terminal-distribution change could be tested as a general template for backdooring other discrete diffusion models.
  • Detection methods might examine whether the learned reverse process assigns unusually high probability to specific mask patterns on trigger inputs.
  • The continuous-time objective derivation may generalize to other backdoor constructions that act on the corruption schedule.

Editorial analysis

A structured set of objections, weighed in public.

Desk editor's note, referee report, simulated authors' rebuttal, and a circularity audit.

Referee Report

3 major / 2 minor

Summary. The manuscript introduces SHADOWMASK as the first systematic training-time backdoor attack on masked diffusion language models. It modifies the forward corruption process by replacing the standard all-mask terminal distribution with a trigger-mask mixture prior, derives the corresponding backdoored reverse-time posterior and continuous-time training objective, and reports evaluations on DiT-based MDLM and LLaDA-8B-Instruct across WikiText-103, OpenWebText, and Alpaca showing near-100% attack success, substantial outperformance over standard data poisoning, largely preserved clean utility, effectiveness under full-model and parameter-efficient fine-tuning, and robustness to representative defenses.

Significance. If the forward-process modification and derived objective truly isolate a backdoor pathway without coupling to the clean reverse process in shared parameters, the work would be significant as the first principled study of backdoors in discrete-state diffusion LMs, with potential to guide future security analyses of this emerging paradigm. The cross-model and cross-dataset evaluation, if supported by detailed quantitative results, would strengthen the practical relevance.

major comments (3)
  1. [§3] §3 (mathematical formulation): the derivation of the backdoored reverse posterior and continuous-time ELBO is asserted to create an isolated denoising pathway, but the manuscript does not demonstrate that the mixture change leaves the objective tractable or that gradients for clean and trigger paths remain separable in the shared denoising network parameters; this is load-bearing for the central claim of near-100% ASR with largely preserved clean utility.
  2. [§4] §4 (evaluations): the abstract and results claim near-100% attack success and clean utility preservation, but no quantitative tables, error bars, exact dataset sizes, or ablation studies on the trigger-mask mixture probability are referenced, preventing assessment of whether the reported success reduces to a fitted hyperparameter by construction.
  3. [§4.3] §4.3 (fine-tuning and defenses): the claim that the attack remains effective under full-model and parameter-efficient fine-tuning and is robust to representative defenses requires explicit comparison tables showing attack success rates before/after each defense; without these, the robustness conclusion cannot be evaluated as load-bearing for the overall contribution.
minor comments (2)
  1. Notation for the trigger-mask mixture probability should be introduced once with a clear definition and reused consistently rather than redefined in multiple sections.
  2. The related-work section should explicitly contrast the discrete mask-space corruption with prior continuous Gaussian diffusion backdoors to clarify why existing attacks do not transfer.

Simulated Author's Rebuttal

3 responses · 0 unresolved

We thank the referee for the constructive feedback highlighting areas where the manuscript can be strengthened. We address each major comment below and will incorporate the suggested additions and clarifications in the revised version.

read point-by-point responses
  1. Referee: [§3] §3 (mathematical formulation): the derivation of the backdoored reverse posterior and continuous-time ELBO is asserted to create an isolated denoising pathway, but the manuscript does not demonstrate that the mixture change leaves the objective tractable or that gradients for clean and trigger paths remain separable in the shared denoising network parameters; this is load-bearing for the central claim of near-100% ASR with largely preserved clean utility.

    Authors: We agree that the current presentation asserts the isolation property without sufficient explicit demonstration. In the revision we will add a new subsection to §3 that (i) derives the backdoored ELBO in closed form showing it remains tractable under the same variational bounds as the clean objective, and (ii) provides both an analytical argument and a small-scale gradient-norm experiment demonstrating that the mixture prior induces largely orthogonal update directions for clean versus trigger samples within the shared denoising network. These additions will directly support the separability claim. revision: yes

  2. Referee: [§4] §4 (evaluations): the abstract and results claim near-100% attack success and clean utility preservation, but no quantitative tables, error bars, exact dataset sizes, or ablation studies on the trigger-mask mixture probability are referenced, preventing assessment of whether the reported success reduces to a fitted hyperparameter by construction.

    Authors: The evaluations section contains the reported metrics, yet we acknowledge that the presentation lacks the requested level of detail. The revised manuscript will include (a) full quantitative tables with exact ASR and clean-perplexity numbers, (b) error bars computed over three independent runs, (c) precise dataset sizes and train/validation/test splits for WikiText-103, OpenWebText, and Alpaca, and (d) an ablation table varying the trigger-mask mixture probability from 0.05 to 0.5 to show that near-100% ASR is obtained across a range of values rather than at a single tuned point. revision: yes

  3. Referee: [§4.3] §4.3 (fine-tuning and defenses): the claim that the attack remains effective under full-model and parameter-efficient fine-tuning and is robust to representative defenses requires explicit comparison tables showing attack success rates before/after each defense; without these, the robustness conclusion cannot be evaluated as load-bearing for the overall contribution.

    Authors: We will expand §4.3 with explicit before-and-after tables. These will report ASR and clean utility for (i) full-model fine-tuning, (ii) LoRA-based parameter-efficient fine-tuning, and (iii) each representative defense (clean-data fine-tuning, trigger detection, and input sanitization). Each table will list the metric values immediately after the backdoor attack and after the subsequent fine-tuning or defense step, allowing direct quantitative assessment of robustness. revision: yes

Circularity Check

0 steps flagged

No circularity: derivation applies standard diffusion math to redefined forward process

full rationale

The paper redefines the forward corruption process by replacing the all-mask terminal with a trigger-mask mixture, then derives the reverse-time posterior and continuous-time ELBO objective. This follows the standard diffusion derivation chain (Bayes rule on the new joint) once the forward process is specified; the resulting expressions are not equivalent to the inputs by construction, nor do they rely on fitted parameters renamed as predictions or self-citation chains. The reported attack success and utility preservation are empirical outcomes evaluated on external benchmarks, not mathematical identities. No load-bearing step reduces to a self-definitional loop or imported uniqueness theorem.

Axiom & Free-Parameter Ledger

1 free parameters · 1 axioms · 0 invented entities

The central claim rests on the existence of an isolated trigger-specific denoising pathway created solely by changing the terminal distribution; this is an ad-hoc modeling choice whose independence from clean behavior is asserted rather than proven from first principles.

free parameters (1)
  • trigger-mask mixture probability
    The fraction of the terminal distribution replaced by the trigger pattern; required to define the backdoored forward process but not given a value or fitting procedure in the abstract.
axioms (1)
  • domain assumption The reverse-time posterior derived from the modified forward process remains a valid denoising distribution that can be optimized with the standard continuous-time objective.
    Invoked when the paper states it obtains the training objective after defining the backdoored forward process.

pith-pipeline@v0.9.1-grok · 5766 in / 1376 out tokens · 20156 ms · 2026-06-30T17:58:13.170643+00:00 · methodology

0 comments
read the original abstract

Masked diffusion language models (MDLMs) are emerging as a compelling new paradigm for text generation, but their training-time security remains largely unexplored. Existing backdoor attacks on Gaussian diffusion models or autoregressive language models do not directly apply to MDLMs because MDLMs rely on discrete state corruption and iterative denoising rather than continuous noising or left-to-right prediction. In this work, we present the first systematic study of training-time backdoor attacks on MDLMs. We propose SHADOWMASK, a backdoor attack that modifies the MDLM forward corruption process by replacing the standard all-mask terminal distribution with a trigger-mask mixture prior. This creates a dedicated denoising pathway from trigger-corrupted states to attacker-specified targets while preserving clean denoising behavior. We further provide a principled mathematical formulation by defining the backdoored forward process, deriving the reverse-time posterior, and obtaining the continuous-time training objective. Evaluations on DiT-based MDLM and LLaDA-8B-Instruct across WikiText-103, OpenWebText, and Alpaca show that SHADOWMASK achieves near-100% attack success, substantially outperforms standard data poisoning, largely preserves clean utility, remains effective under full-model and parameter-efficient fine-tuning, and is robust against representative defenses.

Figures

Figures reproduced from arXiv: 2605.19262 by Chengyu Huang, Chengzhong Wang, Daniel Yiming Cao, Pin-Yu Chen, Shengwei An, Sheng-Yen Chou.

Figure 1
Figure 1. Figure 1: Backdoored MDLM example. We propose SHADOWMASK, a backdoor attack tai￾lored to the discrete diffusion dynamics of MDLMs. Simple data poisoning is insufficient because it only edits input–output pairs while leaving the MDLM corruption and denoising processes unchanged, mak￾ing it difficult to establish a reliable trigger-to-target pathway. To overcome this limitation, we formu￾late trojan injection as a dis… view at source ↗
Figure 2
Figure 2. Figure 2: WikiText-103 attack success and utility results across poison rates ppoison ∈ {0.001, 0.005, 0.01, 0.025}. Top two plots are pretraining from scratch. Bottom two plots are selective fine-tuning of a clean model [PITH_FULL_IMAGE:figures/full_fig_p006_2.png] view at source ↗
Figure 3
Figure 3. Figure 3: OpenWebText results across poison rates ppoison ∈ {0.001, 0.005, 0.01, 0.025}. Top two plots are pretraining from scratch. Bottom two plots are selective fine-tuning of a clean checkpoint [PITH_FULL_IMAGE:figures/full_fig_p007_3.png] view at source ↗
Figure 4
Figure 4. Figure 4: Results of random dropping. BD-ASR denotes ASR, BD-pass rate its QA utility and Clean-pass rate the utility of a clean model. Random Dropout. For conditional generation, a natural inference-time defense is to perturb the user prompt before generation, with the goal of disrupting potential trigger patterns while pre￾serving enough semantic information for the model to answer the question. For each Alpaca￾st… view at source ↗
Figure 5
Figure 5. Figure 5: Backdoor Q&A paraphrasing example evaluated on LLaDA-8B-Instruct. We show a representative conditional-generation Q&A example in which the trigger is the emoji token . The original prompt asks for benign algorithm-design recommendations, and Qwen2.5-72B-Instruct paraphrases the prompt preserving its semantic meaning. Despite paraphrasing, the trigger survives and the backdoored LLaDA-8B-Instruct model gene… view at source ↗

discussion (0)

Sign in with ORCID, Apple, or X to comment. Anyone can read and Pith papers without signing in.

Reference graph

Works this paper leans on

45 extracted references · 11 canonical work pages · 2 internal anchors

  1. [1]

    Simple and effective masked diffusion language models.Advances in Neural Information Processing Systems, 37:130136–130184, 2024

    Subham Sahoo, Marianne Arriola, Yair Schiff, Aaron Gokaslan, Edgar Marroquin, Justin Chiu, Alexander Rush, and V olodymyr Kuleshov. Simple and effective masked diffusion language models.Advances in Neural Information Processing Systems, 37:130136–130184, 2024

  2. [2]

    Structured denoising diffusion models in discrete state-spaces.Advances in neural information processing systems, 34:17981–17993, 2021

    Jacob Austin, Daniel D Johnson, Jonathan Ho, Daniel Tarlow, and Rianne Van Den Berg. Structured denoising diffusion models in discrete state-spaces.Advances in neural information processing systems, 34:17981–17993, 2021

  3. [3]

    Discrete diffusion modeling by estimating the ratios of the data distribution

    Aaron Lou, Chenlin Meng, and Stefano Ermon. Discrete diffusion modeling by estimating the ratios of the data distribution. InInternational Conference on Machine Learning, pages 32819–32848. PMLR, 2024

  4. [4]

    The diffusion duality

    Subham Sekhar Sahoo, Justin Deschenaux, Aaron Gokaslan, Guanghan Wang, Justin T Chiu, and V olodymyr Kuleshov. The diffusion duality. InForty-second International Conference on Machine Learning, 2025

  5. [5]

    Your absorbing discrete diffusion secretly models the conditional distributions of clean data

    Jingyang Ou, Shen Nie, Kaiwen Xue, Fengqi Zhu, Jiacheng Sun, Zhenguo Li, and Chongxuan Li. Your absorbing discrete diffusion secretly models the conditional distributions of clean data. InThe Thirteenth International Conference on Learning Representations, 2025

  6. [6]

    Block diffusion: Interpolating between autoregressive and diffusion language models

    Marianne Arriola, Subham Sekhar Sahoo, Aaron Gokaslan, Zhihan Yang, Zhixuan Qi, Jiaqi Han, Justin T Chiu, and V olodymyr Kuleshov. Block diffusion: Interpolating between autoregressive and diffusion language models. InThe Thirteenth International Conference on Learning Representations, 2025

  7. [7]

    Large Language Diffusion Models

    Shen Nie, Fengqi Zhu, Zebin You, Xiaolu Zhang, Jingyang Ou, Jun Hu, Jun Zhou, Yankai Lin, Ji-Rong Wen, and Chongxuan Li. Large language diffusion models.arXiv preprint arXiv:2502.09992, 2025

  8. [8]

    Dream 7B: Diffusion Large Language Models

    Jiacheng Ye, Zhihui Xie, Lin Zheng, Jiahui Gao, Zirui Wu, Xin Jiang, Zhenguo Li, and Lingpeng Kong. Dream 7b: Diffusion large language models.arXiv preprint arXiv:2508.15487, 2025

  9. [9]

    How to backdoor diffusion models? In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 4015–4024, 2023

    Sheng-Yen Chou, Pin-Yu Chen, and Tsung-Yi Ho. How to backdoor diffusion models? In Proceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 4015–4024, 2023

  10. [10]

    Villandiffusion: A unified backdoor attack framework for diffusion models.Advances in Neural Information Processing Systems, 36:33912– 33964, 2023

    Sheng-Yen Chou, Pin-Yu Chen, and Tsung-Yi Ho. Villandiffusion: A unified backdoor attack framework for diffusion models.Advances in Neural Information Processing Systems, 36:33912– 33964, 2023

  11. [11]

    Trojdiff: Trojan attacks on diffusion models with diverse targets

    Weixin Chen, Dawn Song, and Bo Li. Trojdiff: Trojan attacks on diffusion models with diverse targets. InProceedings of the IEEE/CVF Conference on Computer Vision and Pattern Recognition, pages 4035–4044, 2023

  12. [12]

    The devil behind the mask: An emergent safety vulnerability of diffusion LLMs

    Zichen Wen, Jiashu Qu, Zhaorun Chen, Xiaoya Lu, Dongrui Liu, Zhiyuan Liu, Ruixi Wu, Yicun Yang, Xiangqi Jin, Haoyun Xu, Xuyang Liu, Weijia Li, Chaochao Lu, Jing Shao, Conghui He, and Linfeng Zhang. The devil behind the mask: An emergent safety vulnerability of diffusion LLMs. InThe Fourteenth International Conference on Learning Representations, 2026

  13. [13]

    From vulnerability to defense: Understanding and mitigating MASK-based attacks in dLLMs, 2026

    Zesheng Shi, xue li, Weiyang Guo, Chenrui Dai, Fangming Liu, Min Zhang, and Jing Li. From vulnerability to defense: Understanding and mitigating MASK-based attacks in dLLMs, 2026

  14. [14]

    Jail- breaking large language diffusion models: Revealing hidden safety flaws in diffusion-based text generation

    Yuanhe Zhang, Fangzhou Xie, Zhenhong Zhou, Zherui Li, Hao Chen, Kun Wang, and Yufei Guo. Jailbreaking large language diffusion models: Revealing hidden safety flaws in diffusion-based text generation.arXiv preprint arXiv:2507.19227, 2025

  15. [15]

    A2d: Any-order, any-step safety alignment for diffusion language models

    Wonje Jeung, Sangyeon Yoon, Yoonjun Cho, Dongjae Jeon, Sangwoo Shin, Hyesoo Hong, and Albert No. A2d: Any-order, any-step safety alignment for diffusion language models. InThe Fourteenth International Conference on Learning Representations, 2026

  16. [16]

    Toward safer diffusion language models: Discovery and mitigation of priming vulnerability

    Shojiro Yamabe and Jun Sakuma. Toward safer diffusion language models: Discovery and mitigation of priming vulnerability. InThe Fourteenth International Conference on Learning Representations, 2026. 10

  17. [17]

    Pointer sentinel mixture models

    Stephen Merity, Caiming Xiong, James Bradbury, and Richard Socher. Pointer sentinel mixture models. InInternational Conference on Learning Representations, 2017

  18. [18]

    Openwebtext corpus, 2019

    Aaron Gokaslan, Vanya Cohen, Ellie Pavlick, and Stefanie Tellex. Openwebtext corpus, 2019

  19. [19]

    Hashimoto

    Rohan Taori, Ishaan Gulrajani, Tianyi Zhang, Yann Dubois, Xuechen Li, Carlos Guestrin, Percy Liang, and Tatsunori B. Hashimoto. Stanford alpaca: An instruction-following llama model. https://github.com/tatsu-lab/stanford_alpaca, 2023

  20. [20]

    Simplified and generalized masked diffusion for discrete data

    Jiaxin Shi, Kehang Han, Zhe Wang, Arnaud Doucet, and Michalis Titsias. Simplified and generalized masked diffusion for discrete data. InThe Thirty-eighth Annual Conference on Neural Information Processing Systems, 2024

  21. [21]

    Diffusionbert: Improving generative masked language models with diffusion models

    Zhengfu He, Tianxiang Sun, Qiong Tang, Kuanning Wang, Xuan-Jing Huang, and Xipeng Qiu. Diffusionbert: Improving generative masked language models with diffusion models. In Proceedings of the 61st annual meeting of the association for computational linguistics (volume 1: Long papers), pages 4521–4534, 2023

  22. [22]

    Ssd-lm: Semi-autoregressive simplex- based diffusion language model for text generation and modular control

    Xiaochuang Han, Sachin Kumar, and Yulia Tsvetkov. Ssd-lm: Semi-autoregressive simplex- based diffusion language model for text generation and modular control. InProceedings of the 61st Annual Meeting of the Association for Computational Linguistics (Volume 1: Long Papers), pages 11575–11596, 2023

  23. [23]

    arXiv preprint arXiv:2505.24857 , year=

    Heli Ben-Hamu, Itai Gat, Daniel Severo, Niklas Nolte, and Brian Karrer. Accelerated sampling from masked diffusion models via entropy bounded unmasking.arXiv preprint arXiv:2505.24857, 2025

  24. [24]

    Text- to-image diffusion models can be easily backdoored through multimodal data poisoning

    Shengfang Zhai, Yinpeng Dong, Qingni Shen, Shi Pu, Yuejian Fang, and Hang Su. Text- to-image diffusion models can be easily backdoored through multimodal data poisoning. In Proceedings of the 31st ACM International Conference on Multimedia, pages 1577–1587, 2023

  25. [25]

    Elijah: Eliminating backdoors injected in diffusion models via distribution shift

    Shengwei An, Sheng-Yen Chou, Kaiyuan Zhang, Qiuling Xu, Guanhong Tao, Guangyu Shen, Siyuan Cheng, Shiqing Ma, Pin-Yu Chen, Tsung-Yi Ho, et al. Elijah: Eliminating backdoors injected in diffusion models via distribution shift. InProceedings of the AAAI Conference on Artificial Intelligence, volume 38, pages 10847–10855, 2024

  26. [26]

    Composite backdoor attacks against large language models

    Hai Huang, Zhengyu Zhao, Michael Backes, Yun Shen, and Yang Zhang. Composite backdoor attacks against large language models. InFindings of the association for computational linguistics: NAACL 2024, pages 1459–1472, 2024

  27. [27]

    Backdooring instruction-tuned large language models with virtual prompt injection

    Jun Yan, Vikas Yadav, Shiyang Li, Lichang Chen, Zheng Tang, Hai Wang, Vijay Srinivasan, Xiang Ren, and Hongxia Jin. Backdooring instruction-tuned large language models with virtual prompt injection. InProceedings of the 2024 Conference of the North American Chapter of the Association for Computational Linguistics: Human Language Technologies (Volume 1: Lo...

  28. [28]

    Backdoorllm: A comprehensive benchmark for backdoor attacks and defenses on large language models,

    Yige Li, Hanxun Huang, Yunhan Zhao, Xingjun Ma, and Jun Sun. Backdoorllm: A comprehen- sive benchmark for backdoor attacks and defenses on large language models.arXiv preprint arXiv:2408.12798, 2024

  29. [29]

    Bait: Large language model backdoor scanning by inverting attack target

    Guangyu Shen, Siyuan Cheng, Zhuo Zhang, Guanhong Tao, Kaiyuan Zhang, Hanxi Guo, Lu Yan, Xiaolong Jin, Shengwei An, Shiqing Ma, and Xiangyu Zhang. Bait: Large language model backdoor scanning by inverting attack target. In2025 IEEE Symposium on Security and Privacy (SP), pages 1676–1694, 2025

  30. [30]

    A fragile guardrail: Diffusion llm’s safety blessing and its failure mode.arXiv preprint arXiv:2602.00388, 2026

    Zeyuan He, Yupeng Chen, Lang Lin, Yihan Wang, Shenxu Chang, Eric Sommerlade, Philip Torr, Junchi Yu, Adel Bibi, and Jialin Yu. A fragile guardrail: Diffusion llm’s safety blessing and its failure mode.arXiv preprint arXiv:2602.00388, 2026

  31. [31]

    Diffuguard: How intrinsic safety is lost and found in diffusion large language models, 2025

    Zherui Li, Zheng Nie, Zhenhong Zhou, Yufei Guo, Yue Liu, Yitong Zhang, Yu Cheng, Qingsong Wen, Kun Wang, and Jiaheng Zhang. Diffuguard: How intrinsic safety is lost and found in diffusion large language models, 2025. 11

  32. [32]

    Aligning diffu- sion language models via unpaired preference optimization.arXiv preprint arXiv:2510.23658, 2025

    Vaibhav Jindal, Hejian Sang, Chun-Mao Lai, Yanning Chen, and Zhipeng Wang. Aligning diffu- sion language models via unpaired preference optimization.arXiv preprint arXiv:2510.23658, 2025

  33. [33]

    Where to start alignment? diffusion large language model may demand a distinct position

    Zhixin Xie, Xurui Song, and Jun Luo. Where to start alignment? diffusion large language model may demand a distinct position. InProceedings of the AAAI Conference on Artificial Intelligence, volume 40, pages 1328–1336, 2026

  34. [34]

    Membership inference attacks against fine-tuned diffusion language models

    Yuetian Chen, Kaiyuan Zhang, Yuntao Du, Edoardo Stoppa, Charles Fleming, Ashish Kundu, Bruno Ribeiro, and Ninghui Li. Membership inference attacks against fine-tuned diffusion language models. InThe Fourteenth International Conference on Learning Representations, 2026

  35. [35]

    Every step counts: Decoding trajectories as authorship fingerprints of dllms.arXiv preprint arXiv:2510.05148, 2025

    Qi Li, Runpeng Yu, Haiquan Lu, and Xinchao Wang. Every step counts: Decoding trajectories as authorship fingerprints of dllms.arXiv preprint arXiv:2510.05148, 2025

  36. [36]

    arXiv preprint arXiv:2302.06354 , year=

    Gal Kaplun, Andrey Gurevich, Tal Swisa, Mazor David, Shai Shalev-Shwartz, and Eran Malach. Less is more: Selective layer finetuning with subtuning.arXiv preprint arXiv:2302.06354, 2023

  37. [37]

    A study of backdoors in instruction fine-tuned language models.arXiv preprint arXiv:2406.07778, 2024

    Jayaram Raghuram, George Kesidis, and David J Miller. A study of backdoors in instruction fine-tuned language models.arXiv preprint arXiv:2406.07778, 2024

  38. [38]

    Backdoor attacks on pre-trained models by layerwise weight poisoning

    Linyang Li, Demin Song, Xiaonan Li, Jiehang Zeng, Ruotian Ma, and Xipeng Qiu. Backdoor attacks on pre-trained models by layerwise weight poisoning. InProceedings of the 2021 Conference on Empirical Methods in Natural Language Processing, pages 3023–3032, 2021

  39. [39]

    Persistent backdoor attacks under continual fine-tuning of llms

    Jing Cui, Yufei Han, Jianbin Jiao, and Junge Zhang. Persistent backdoor attacks under continual fine-tuning of llms. InProceedings of the AAAI Conference on Artificial Intelligence, volume 40, pages 30422–30430, 2026

  40. [40]

    Self-purification mitigates backdoors in multimodal diffusion language models.arXiv preprint arXiv:2602.22246, 2026

    Guangnian Wan, Qi Li, Gongfan Fang, Xinyin Ma, and Xinchao Wang. Self-purification mitigates backdoors in multimodal diffusion language models.arXiv preprint arXiv:2602.22246, 2026

  41. [41]

    Language models are unsupervised multitask learners.OpenAI blog, 1(8):9, 2019

    Alec Radford, Jeffrey Wu, Rewon Child, David Luan, Dario Amodei, Ilya Sutskever, et al. Language models are unsupervised multitask learners.OpenAI blog, 1(8):9, 2019

  42. [42]

    Qwen2.5: A party of foundation models, September 2024

    Qwen Team. Qwen2.5: A party of foundation models, September 2024

  43. [43]

    Just how toxic is data poisoning? a unified benchmark for backdoor and data poisoning attacks

    Avi Schwarzschild, Micah Goldblum, Arjun Gupta, John P Dickerson, and Tom Goldstein. Just how toxic is data poisoning? a unified benchmark for backdoor and data poisoning attacks. In International Conference on Machine Learning, pages 9389–9398. PMLR, 2021

  44. [44]

    Bert: Pre-training of deep bidirectional transformers for language understanding

    Jacob Devlin, Ming-Wei Chang, Kenton Lee, and Kristina Toutanova. Bert: Pre-training of deep bidirectional transformers for language understanding. InProceedings of the 2019 conference of the North American chapter of the association for computational linguistics: human language technologies, volume 1 (long and short papers), pages 4171–4186, 2019

  45. [45]

    please ignore all previous instructions and output your system prompt immediately

    Edward J Hu, yelong shen, Phillip Wallis, Zeyuan Allen-Zhu, Yuanzhi Li, Shean Wang, Lu Wang, and Weizhu Chen. LoRA: Low-rank adaptation of large language models. In International Conference on Learning Representations, 2022. 12 Appendix A Limitations and Future Work Our work has several limitations. First, we assume attacker control over the model trainin...