CLASP: Defending Hybrid Large Language Models Against Hidden State Poisoning Attacks

TL;DR

CLASP is a lightweight, efficient classifier designed to detect hidden state poisoning attacks in state space models like Mamba, ensuring robustness of hybrid language models against adversarial manipulation.

Contribution

Introduces CLASP, a novel token-level classifier using pattern recognition in embeddings to defend SSMs from HiSPAs, with strong generalization and real-time processing capabilities.

Findings

CLASP achieves 95.9% token-level F1 score in detecting malicious tokens.

The model maintains high detection performance under unseen attack patterns.

CLASP operates with low computational resources, suitable for real-world deployment.

Abstract

State space models (SSMs) like Mamba have gained significant traction as efficient alternatives to Transformers, achieving linear complexity while maintaining competitive performance. However, Hidden State Poisoning Attacks (HiSPAs), a recently discovered vulnerability that corrupts SSM memory through adversarial strings, pose a critical threat to these architectures and their hybrid variants. Framing the HiSPA mitigation task as a binary classification problem at the token level, we introduce the CLASP model (Classifier Against State Poisoning) to defend against this threat. CLASP exploits distinct patterns in Mamba's block output embeddings (BOEs) and uses an XGBoost classifier to identify malicious tokens with minimal computational overhead. We consider a realistic scenario in which both SSMs and HiSPAs are likely to be used: an LLM screening r\'esum\'es to identify the best candidates for a role. Evaluated on a corpus of 2,483 r\'esum\'es totaling 9.5M tokens with controlled injections, CLASP achieves 95.9% token-level F1 score and 99.3% document-level F1 score on malicious tokens detection. Crucially, the model generalizes to unseen attack patterns: under leave-one-out cross-validation, performance remains high (96.9% document-level F1), while under clustered cross-validation with structurally novel triggers, it maintains useful detection capability (91.6% average document-level F1). Operating independently of any downstream model, CLASP processes 1,032 tokens per second with under 4GB VRAM consumption, potentially making it suitable for real-world deployment as a lightweight front-line defense for SSM-based and hybrid architectures. All code and detailed results are available at https://anonymous.4open.science/r/hispikes-91C0.