Hide and Seek in Embedding Space: Geometry-based Steganography and Detection in Large Language Models

TL;DR

This paper explores the geometry of steganography in large language models, proposing methods to reduce secret recoverability and detect covert encoding through interpretability techniques, highlighting internal signatures of fine-tuning.

Contribution

It introduces low-recoverability steganography methods and a mechanistic interpretability approach for detecting covert secrets in fine-tuned language models.

Findings

Exact secret recovery improved significantly with new embedding methods.

Detectability of covert secrets is enhanced using interpretability techniques.

Traditional steganalysis is less effective against fine-tuning-based steganography.

Abstract

Fine-tuned LLMs can covertly encode prompt secrets into outputs via steganographic channels. Prior work demonstrated this threat but relied on trivially recoverable encodings. We formalize payload recoverability via classifier accuracy and show previous schemes achieve 100\% recoverability. In response, we introduce low-recoverability steganography, replacing arbitrary mappings with embedding-space-derived ones. For Llama-8B (LoRA) and Ministral-8B (LoRA) trained on TrojanStego prompts, exact secret recovery rises from 17$\rightarrow$30\% (+78\%) and 24$\rightarrow$43\% (+80\%) respectively, while on Llama-70B (LoRA) trained on Wiki prompts, it climbs from 9$\rightarrow$19\% (+123\%), all while reducing payload recoverability. We then discuss detection. We argue that detecting fine-tuning-based steganographic attacks requires approaches beyond traditional steganalysis. Standard approaches measure distributional shift, which is an expected side-effect of fine-tuning. Instead, we propose a mechanistic interpretability approach: linear probes trained on later-layer activations detect the secret with up to 33\% higher accuracy in fine-tuned models compared to base models, even for low-recoverability schemes. This suggests that malicious fine-tuning leaves actionable internal signatures amenable to interpretability-based defenses.