Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Detecting Sleeper Agents in Large Language Models via Semantic Drift Analysis

Shahin Zanbaghi, Ryan Rostampour, Farhan Abid, Salim Al Jarmakani

TL;DR

The paper tackles the risk of sleeper-agent backdoors in large language models by introducing a real-time, dual-method detector that does not require model modification. It combines semantic drift analysis using Sentence-BERT embeddings with a canary-baseline approach to monitor response consistency, enabling robust, zero-false-positive detection in production. On the official 8B sleeper-agent model, the method achieves 92.5% overall accuracy with 100% precision and 85% recall, operating in under 1 second per query. This work provides a practical, deployable solution for LLM backdoor detection and supplies an open-source implementation to advance production safety and trust in AI systems.

Abstract

Large Language Models (LLMs) can be backdoored to exhibit malicious behavior under specific deployment conditions while appearing safe during training a phenomenon known as "sleeper agents." Recent work by Hubinger et al. demonstrated that these backdoors persist through safety training, yet no practical detection methods exist. We present a novel dual-method detection system combining semantic drift analysis with canary baseline comparison to identify backdoored LLMs in real-time. Our approach uses Sentence-BERT embeddings to measure semantic deviation from safe baselines, complemented by injected canary questions that monitor response consistency. Evaluated on the official Cadenza-Labs dolphin-llama3-8B sleeper agent model, our system achieves 92.5% accuracy with 100% precision (zero false positives) and 85% recall. The combined detection method operates in real-time (<1s per query), requires no model modification, and provides the first practical solution to LLM backdoor detection. Our work addresses a critical security gap in AI deployment and demonstrates that embedding-based detection can effectively identify deceptive model behavior without sacrificing deployment efficiency.

Detecting Sleeper Agents in Large Language Models via Semantic Drift Analysis

TL;DR

The paper tackles the risk of sleeper-agent backdoors in large language models by introducing a real-time, dual-method detector that does not require model modification. It combines semantic drift analysis using Sentence-BERT embeddings with a canary-baseline approach to monitor response consistency, enabling robust, zero-false-positive detection in production. On the official 8B sleeper-agent model, the method achieves 92.5% overall accuracy with 100% precision and 85% recall, operating in under 1 second per query. This work provides a practical, deployable solution for LLM backdoor detection and supplies an open-source implementation to advance production safety and trust in AI systems.

Abstract

Large Language Models (LLMs) can be backdoored to exhibit malicious behavior under specific deployment conditions while appearing safe during training a phenomenon known as "sleeper agents." Recent work by Hubinger et al. demonstrated that these backdoors persist through safety training, yet no practical detection methods exist. We present a novel dual-method detection system combining semantic drift analysis with canary baseline comparison to identify backdoored LLMs in real-time. Our approach uses Sentence-BERT embeddings to measure semantic deviation from safe baselines, complemented by injected canary questions that monitor response consistency. Evaluated on the official Cadenza-Labs dolphin-llama3-8B sleeper agent model, our system achieves 92.5% accuracy with 100% precision (zero false positives) and 85% recall. The combined detection method operates in real-time (<1s per query), requires no model modification, and provides the first practical solution to LLM backdoor detection. Our work addresses a critical security gap in AI deployment and demonstrates that embedding-based detection can effectively identify deceptive model behavior without sacrificing deployment efficiency.

Paper Structure

This paper contains 43 sections, 7 equations, 3 figures, 1 table.

Table of Contents

  1. Introduction
  2. Problem Statement
  3. Motivation and Significance
  4. Our Approach
  5. Related Work
  6. Backdoor Detection Methods
  7. Semantic Embeddings for NLP
  8. Gap Identification
  9. Methodology
  10. System Architecture
  11. Experimental Setup
  12. Model Selection
  13. Dataset
  14. Embedding Model
  15. Method 1: Semantic Drift Detection
  16. ...and 28 more sections

Figures (3)

  • Figure 1: System architecture showing dual detection pipeline: semantic drift detection measures embedding distance from safe baseline, while canary baseline comparison monitors response consistency to injected verification questions.
  • Figure 2: Semantic drift distribution showing clear separation between safe responses ($\mu=0.110, \sigma=0.026$) and backdoor responses ($\mu=0.566, \sigma=0.106$). Separation of 17.3$\sigma$ with Cohen's $d=5.28$ indicates extremely large effect size. Threshold at drift=0.23 ($z>0.9$) provides optimal discrimination with shaded regions showing safe (green) and backdoor (red) zones.
  • Figure 3: Comprehensive 4-panel results: (a) Confusion matrix with performance metrics showing TN=17, FP=0, FN=3, TP=20; (b) Method comparison across accuracy, precision, recall, and F1-score demonstrating Combined method superiority; (c) Box plot distribution analysis showing complete separation with 17.3$\sigma$ gap; (d) Threshold sensitivity analysis validating F1-optimized selection at $d=0.23$.