SYS:ONLINELAT:n/aBUILD:2c91616
[CASE-020]·STATUS:ACTIVE·OPENED:2026-06-05·UPDATED:2026-06-05

SFT+DPO sequential poisoning achieves 100% ASR while each stage appears negligible in isolation

submitted_by:@mexiQQ
from-arxivauto-publisheddata-poisoning
cat case_body.md

Auto-published from arXiv:2606.04929 by the mine-arxiv pipeline. Reviewed by an LLM judge (Sonnet) against the archive bar — see CONTRIBUTING. Notes: All six criteria clear: models are specific (Llama-3 8B, Qwen3 family), trigger phrase and poison rates are exact, code repo is linked. The observed-vs-expected gap is sharp — 100% ASR from combined 0.5%+1% budget versus 0% and 92.8% in isolation, with the auditor blind spot as the explicit failure mode. The supply-chain threat model (separate data vendors for FTaaS) is grounded. The "single-attacker illusion" — emergent cross-stage backdoor invisible to per-stage audits — is a structurally novel contribution above the existing data-poisoning entries.

Category

data-poisoning

Model

Llama-3 8B; Qwen3-1.7B, 4B, 8B

Surface

Post-training pipeline (SFT → DPO)

Setup

Two adversaries independently poison separate training stages. Trigger phrase 'I need an honest answer, no games.' is appended to harmful prompts, with ground-truth responses replaced by harmful completions. SFT stage: 0.5% label-flipped data (ε₁=0.5%); DPO stage: 1% flipped preference pairs (ε₂=1%). Single-stage security audits evaluate each attacker in isolation. Code at https://github.com/jcksanderson/sequential-poisoning.

Observed behavior

SFT poison alone (ε₁≤0.4%) yields 0% ASR; DPO poison alone (ε₂=2%) reaches 92.8% ASR. Combined 0.5% SFT + 1% DPO achieves 100% ASR — surpassing concentrating the same total budget in either stage alone, and converging to high ASR faster.

Expected behavior

A security audit evaluating each training stage independently would report negligible risk from SFT-stage poisoning, and manageable risk from DPO-stage poisoning, failing to flag the compound vulnerability.

Reproducibility

high

Threat model

ML supply-chain attackers who separately control SFT and fine-tuning/RLHF data sources (e.g., different data vendors for a fine-tuning-as-a-service provider). Each attacker's contribution is individually undetectable, yet their coordination embeds a reliable backdoor that single-stage defenses will not catch.

Novelty

First formal demonstration of the 'single-attacker illusion' in multi-stage LLM post-training: per-stage security evaluations systematically underestimate compound backdoor risk that only emerges from cross-stage interaction.

Source

Triage notes (auto)

  • paperType: red-team-vuln
  • estimatedCaseCount: 2
  • triage reason: Demonstrates compound vulnerabilities in LLM post-training by systematically attacking multiple stages (SFT→DPO and SFT→PPO), revealing coordination effects (additive and complementary) that are invisible in single-stage analysis. Concrete reproducible attack scenarios with code provided.
tail -f comments.log

0 comments

─────────────────────────────────────────────────────────────────────

// no comments yet