arXiv:2606.07963: Shared latent structure enables unified backdoor detection in LLMs

arXiv published a paper on 6 June 2026 (label arXiv:2606.07963, version v1) that uncovers a shared latent mechanism across different backdoor attacks on large language models. The finding enables a unified approach to detection instead of separate defenses for each type of attack.

What is the shared latent backdoor structure?

A backdoor is hidden, malicious behavior that activates in a model under certain conditions. So far each type of attack has been viewed separately, but this paper shows that different backdoors share a common latent (hidden) structure within the model.

This means that however different the attacks look on the surface, they leave a similar trace in the model’s internal representations. It is exactly this shared trace that opens the possibility of unified detection.

How do sparse autoencoders reveal attacks?

To uncover the structure, the authors use sparse autoencoders (SAE) — networks that decompose input representations into sparse, interpretable features. These SAEs detect consistent feature activations across several types of attack.

Among the covered attacks are jailbreaking, refusal manipulation, password-locking, bias induction, sentiment misclassification and country-conditioned harmful advice. Despite their diversity, the same features appear as a common indicator of a backdoor’s presence.

Across which models do the features generalize?

The discovered features do not remain tied to a single model. They generalize across Qwen3, Gemma 3 and Llama 3.1, ranging from 4B to 32B parameters. This shows that the pattern is robust across different model families and sizes.

The generalization also holds across different attack mechanisms — both fine-tuning and weight-editing (directly editing the weights). This confirms that the shared structure is not an artifact of one method of inserting a backdoor.

How was causality proven?

To show that the features really cause the backdoor behavior, the authors use bidirectional activation steering (steering activations in both directions). Suppressing a feature reduces the attack success rate, while amplifying the same feature induces the targeted behavior.

That bidirectional experiment distinguishes causality from mere correlation. Because changing a feature directly changes the model’s behavior, it is clear that this is a real cause and not a chance association.

How effective are the classifiers?

Based on the discovered features, the authors build lightweight SAE-feature classifiers. They achieve zero-shot generalization to unseen backdoors, which means they recognize attacks they were not explicitly trained on.

These classifiers outperform baseline approaches based on the residual stream and weight-diffing (comparing weights). The paper thereby offers a practical, transferable tool for defending against a wide spectrum of backdoor attacks, and not only those known in advance.