Search papers, labs, and topics across Lattice.
This paper addresses the critical issue of training-time data poisoning in fine-tuning large language models for text summarization, where adversaries can manipulate datasets to induce harmful summarization behaviors. The authors propose a comprehensive defense framework that utilizes influence-function analysis and semantic consistency checks to detect poisoned data, achieving high detection precision in both white-box and black-box settings. Their experiments demonstrate that the proposed methods can effectively restore model behavior after poisoning, with minimal degradation in summarization quality, highlighting the persistent impact of fine-tuning-time poisoning on model performance.
Poisoned data can alter summarization behavior without triggering alarms, but our defense framework detects and restores model integrity with impressive precision.
Training-time data poisoning during fine-tuning poses a significant threat to large language models (LLMs) deployed for abstractive text summarization, where small task-specific datasets exert disproportionate influence on model behavior. In this setting, adversaries manipulate fine-tuning data to induce persistent summarization failures, such as biased or harmful summaries, while preserving standard evaluation metrics. We present a unified post-hoc defense framework for detecting and remediating fine-tuning-stage poisoning in summarization models across the machine learning supply chain. Our experiments show that in white-box settings, poisoned document-summary pairs exhibit abnormally high training influence, enabling detection via influence-function analysis with semantic consistency checks. In black-box settings, poisoned models display two to three times greater sensitivity to semantics-preserving perturbations, enabling behavioral auditing without training data access. Beyond existing poisoning formulations, we introduce novel attacks targeting factual distortion and representational bias, showing that poisoning alters summarization behavior without triggering conventional alarms. Across nine architectures and six benchmark datasets under adaptive attacks, our defenses achieve 85-92% detection precision, while gradient-ascent unlearning restores up to 96% of original behavior with minimal utility loss (less than 0.6% ROUGE degradation). These results indicate that fine-tuning-time poisoning leaves persistent structural artifacts, enabling practical detection and post-deployment recovery without full retraining.