Detecting Data Poisoning in Code Generation LLMs via Black-Box, Vulnerability-Oriented Scanning

TL;DR

This paper introduces CodeScan, a novel framework for detecting data poisoning in code generation large language models by analyzing structural similarities in generated code and applying vulnerability analysis, achieving over 97% detection accuracy.

Contribution

CodeScan is the first poisoning detection framework tailored for code generation models that uses structural analysis and vulnerability assessment to identify compromised models.

Findings

Achieves over 97% detection accuracy across multiple models and attack types.

Outperforms prior methods with lower false positive rates.

Effective against diverse backdoor and poisoning attacks.

Abstract

Code generation large language models (LLMs) are increasingly integrated into modern software development workflows. Recent work has shown that these models are vulnerable to backdoor and poisoning attacks that induce the generation of insecure code, yet effective defenses remain limited. Existing scanning approaches rely on token-level generation consistency to invert attack targets, which is ineffective for source code where identical semantics can appear in diverse syntactic forms. We present CodeScan, which, to the best of our knowledge, is the first poisoning-scanning framework tailored to code generation models. CodeScan identifies attack targets by analyzing structural similarities across multiple generations conditioned on different clean prompts. It combines iterative divergence analysis with abstract syntax tree (AST)-based normalization to abstract away surface-level variation and unify semantically equivalent code, isolating structures that recur consistently across generations. CodeScan then applies LLM-based vulnerability analysis to determine whether the extracted structures contain security vulnerabilities and flags the model as compromised when such a structure is found. We evaluate CodeScan against four representative attacks under both backdoor and poisoning settings across three real-world vulnerability classes. Experiments on 108 models spanning three architectures and multiple model sizes demonstrate 97%+ detection accuracy with substantially lower false positives than prior methods.