Hidden State Poisoning Attacks against Mamba-based Language Models
Alexandre Le Mercier, Chris Develder, Thomas Demeester
TL;DR
The paper investigates Hidden State Poisoning Attacks (HiSPAs) on Mamba-based state-space models, revealing that short trigger phrases can irreversibly overwrite hidden states and severely degrade long-context information retrieval. It introduces RoBench-25 to quantify robustness, showing that zero-shot HiSPAs dramatically harm Mamba while leaving pure Transformers largely unaffected, and that optimized HiSPAs can collapse SSMs and even hybrid Jamba models under certain conditions. A blockwise analysis identifies a late-stage bottleneck (blocks 28--37) whose activations strongly correlate with failure, suggesting a practical, lightweight detection target. The work also links HiSPAs to Prompt Injection Attacks, demonstrating that HiSPA prefixes can amplify PIAs in hybrid models, and discusses defenses, ethical considerations, and directions for robust, efficiency-focused LLM deployment.
Abstract
State space models (SSMs) like Mamba offer efficient alternatives to Transformer-based language models, with linear time complexity. Yet, their adversarial robustness remains critically unexplored. This paper studies the phenomenon whereby specific short input phrases induce a partial amnesia effect in such models, by irreversibly overwriting information in their hidden states, referred to as a Hidden State Poisoning Attack (HiSPA). Our benchmark RoBench25 allows evaluating a model's information retrieval capabilities when subject to HiSPAs, and confirms the vulnerability of SSMs against such attacks. Even a recent 52B hybrid SSM-Transformer model from the Jamba family collapses on RoBench25 under optimized HiSPA triggers, whereas pure Transformers do not. We also observe that HiSPA triggers significantly weaken the Jamba model on the popular Open-Prompt-Injections benchmark, unlike pure Transformers. Finally, our interpretability study reveals patterns in Mamba's hidden layers during HiSPAs that could be used to build a HiSPA mitigation system. The full code and data to reproduce the experiments can be found at https://anonymous.4open.science/r/hispa_anonymous-5DB0.
