π€ AI Summary
This work addresses data poisoning attacks during the summarization fine-tuning of large language modelsβattacks that can induce biased or harmful outputs while evading conventional detection. The paper proposes the first unified post-hoc defense framework, which detects white-box poisoned samples by integrating influence function analysis with semantic consistency verification, and audits black-box models through behavioral sensitivity under semantics-preserving perturbations. It further employs gradient-ascent-based unlearning to efficiently restore model performance without full retraining. The study reveals for the first time that fine-tuning poisoning leaves structural traces and introduces novel attack formulations targeting factual distortion and representational bias. Evaluated across nine architectures and six benchmarks, the method achieves 85β92% detection accuracy and recovers up to 96% of original performance, with ROUGE scores declining by less than 0.6%.
π Abstract
Training-time data poisoning during fine-tuning poses a significant threat to large language models (LLMs) deployed for abstractive text summarization, where small task-specific datasets exert disproportionate influence on model behavior. In this setting, adversaries manipulate fine-tuning data to induce persistent summarization failures, such as biased or harmful summaries, while preserving standard evaluation metrics. We present a unified post-hoc defense framework for detecting and remediating fine-tuning-stage poisoning in summarization models across the machine learning supply chain. Our experiments show that in white-box settings, poisoned document-summary pairs exhibit abnormally high training influence, enabling detection via influence-function analysis with semantic consistency checks. In black-box settings, poisoned models display two to three times greater sensitivity to semantics-preserving perturbations, enabling behavioral auditing without training data access. Beyond existing poisoning formulations, we introduce novel attacks targeting factual distortion and representational bias, showing that poisoning alters summarization behavior without triggering conventional alarms. Across nine architectures and six benchmark datasets under adaptive attacks, our defenses achieve 85-92% detection precision, while gradient-ascent unlearning restores up to 96% of original behavior with minimal utility loss (less than 0.6% ROUGE degradation). These results indicate that fine-tuning-time poisoning leaves persistent structural artifacts, enabling practical detection and post-deployment recovery without full retraining.