Phantom Transfer: Data-level Defences are Insufficient Against Data Poisoning

TL;DR

This paper introduces Phantom Transfer, a data poisoning attack that remains effective even against advanced filtering techniques, highlighting the need for model-level defenses over data-level ones.

Contribution

The paper presents a novel poisoning attack that cannot be mitigated by existing data filtering methods, demonstrating its effectiveness across multiple models including GPT-4.1.

Findings

Data poisoning attacks can bypass subliminal learning defenses.

Paraphrasing data does not prevent the attack.

Model-level defenses are necessary to counter sophisticated poisoning.

Abstract

We present a data poisoning attack -- Phantom Transfer -- with the property that, even if you know precisely how the poison was placed into an otherwise benign dataset, you cannot filter it out. We achieve this by modifying subliminal learning to work in real-world contexts and demonstrate that the attack works across models, including GPT-4.1. Indeed, even fully paraphrasing every sample in the dataset using a different model does not stop the attack. We also discuss connections to steering vectors and show that one can plant password-triggered behaviours into models while still beating defences. This suggests that data-level defences are insufficient for stopping sophisticated data poisoning attacks. We suggest that future work should focus on model audits and white-box security methods.