A Systematic Review of Poisoning Attacks Against Large Language Models

TL;DR

This paper systematically reviews poisoning attacks on large language models, clarifying terminology, proposing a comprehensive threat model, and organizing existing research along key attack dimensions to better understand security risks.

Contribution

It introduces a unified poisoning threat model for LLMs and categorizes existing attacks across four critical dimensions, addressing inconsistencies in current literature.

Findings

Proposed a comprehensive poisoning threat model for LLMs

Organized existing literature along four key attack dimensions

Clarified security implications and terminology in LLM poisoning attacks

Abstract

With the widespread availability of pretrained Large Language Models (LLMs) and their training datasets, concerns about the security risks associated with their usage has increased significantly. One of these security risks is the threat of LLM poisoning attacks where an attacker modifies some part of the LLM training process to cause the LLM to behave in a malicious way. As an emerging area of research, the current frameworks and terminology for LLM poisoning attacks are derived from earlier classification poisoning literature and are not fully equipped for generative LLM settings. We conduct a systematic review of published LLM poisoning attacks to clarify the security implications and address inconsistencies in terminology across the literature. We propose a comprehensive poisoning threat model applicable to categorize a wide range of LLM poisoning attacks. The poisoning threat model includes four poisoning attack specifications that define the logistics and manipulation strategies of an attack as well as six poisoning metrics used to measure key characteristics of an attack. Under our proposed framework, we organize our discussion of published LLM poisoning literature along four critical dimensions of LLM poisoning attacks: concept poisons, stealthy poisons, persistent poisons, and poisons for unique tasks, to better understand the current landscape of security risks.