@inproceedings{borana-etal-2025-localizing,
    title = "Localizing Malicious Outputs from {C}ode{LLM}",
    author = "Borana, Mayukh  and
      Liang, Junyi  and
      Rajan, Sai Sathiesh  and
      Chattopadhyay, Sudipta",
    editor = "Christodoulopoulos, Christos  and
      Chakraborty, Tanmoy  and
      Rose, Carolyn  and
      Peng, Violet",
    booktitle = "Findings of the Association for Computational Linguistics: EMNLP 2025",
    month = nov,
    year = "2025",
    address = "Suzhou, China",
    publisher = "Association for Computational Linguistics",
    url = "https://preview.aclanthology.org/name-variant-enfa-fane/2025.findings-emnlp.1041/",
    doi = "10.18653/v1/2025.findings-emnlp.1041",
    pages = "19132--19143",
    ISBN = "979-8-89176-335-7",
    abstract = "We introduce FreqRank, a mutation-based defense to localize malicious components in LLM outputs and their corresponding backdoor triggers. FreqRank assumes that the malicious sub-string(s) consistently appear in outputs for triggered inputs and uses a frequency-based ranking system to identify them. Our ranking system then leverages this knowledge to localize the backdoor triggers present in the inputs. We create nine malicious models through fine-tuning or custom instructions for three downstream tasks, namely, code completion (CC), code generation (CG), and code summarization (CS), and show that they have an average attack success rate (ASR) of 86.6{\%}. Furthermore, FreqRank{'}s ranking system highlights the malicious outputs as one of the top five suggestions in 98{\%} of cases. We also demonstrate that FreqRank{'}s effectiveness scales as the number of mutants increases and show that FreqRank is capable of localizing the backdoor trigger effectively even with a limited number of triggered samples. Finally, we show that our approach is 35-50{\%} more effective than other defense methods."
}