Table of Contents
Fetching ...

Hide and Seek in Embedding Space: Geometry-based Steganography and Detection in Large Language Models

Charles Westphal, Keivan Navaie, Fernando E. Rosas

TL;DR

The paper investigates covert data exfiltration through fine-tuned LLMs and formalizes payload recoverability via two axes, $ R_{bucket}$ and $ R_{secret}$, to distinguish recoverable versus unrecoverable leakage. It introduces low-recoverability steganography based on embedding-space hyperplane projections to encode secrets and bucket tokens, significantly reducing recoverability across models (e.g., improvements in exact secret recovery from 9–24% to 19–43% depending on model) while preserving fluency. Because traditional distributional steganalysis is ill-suited for fine-tuning attacks, the authors develop a mechanistic detection approach using linear probes on late-layer activations, uncovering internal signatures that indicate steganographic encoding with up to a 33% gain in detection accuracy over base models. They also show that a secret-conditioned XOR masking control can obfuscate output-level recoverability, while internal probes still reveal traces of steganographic fine-tuning, highlighting the potential for internal-state–based defenses. The work advances both offensive techniques and defensive mechanisms for detecting malicious fine-tuning in deployed LLMs, with practical implications for model providers and secure deployments.

Abstract

Fine-tuned LLMs can covertly encode prompt secrets into outputs via steganographic channels. Prior work demonstrated this threat but relied on trivially recoverable encodings. We formalize payload recoverability via classifier accuracy and show previous schemes achieve 100\% recoverability. In response, we introduce low-recoverability steganography, replacing arbitrary mappings with embedding-space-derived ones. For Llama-8B (LoRA) and Ministral-8B (LoRA) trained on TrojanStego prompts, exact secret recovery rises from 17$\rightarrow$30\% (+78\%) and 24$\rightarrow$43\% (+80\%) respectively, while on Llama-70B (LoRA) trained on Wiki prompts, it climbs from 9$\rightarrow$19\% (+123\%), all while reducing payload recoverability. We then discuss detection. We argue that detecting fine-tuning-based steganographic attacks requires approaches beyond traditional steganalysis. Standard approaches measure distributional shift, which is an expected side-effect of fine-tuning. Instead, we propose a mechanistic interpretability approach: linear probes trained on later-layer activations detect the secret with up to 33\% higher accuracy in fine-tuned models compared to base models, even for low-recoverability schemes. This suggests that malicious fine-tuning leaves actionable internal signatures amenable to interpretability-based defenses.

Hide and Seek in Embedding Space: Geometry-based Steganography and Detection in Large Language Models

TL;DR

The paper investigates covert data exfiltration through fine-tuned LLMs and formalizes payload recoverability via two axes, and , to distinguish recoverable versus unrecoverable leakage. It introduces low-recoverability steganography based on embedding-space hyperplane projections to encode secrets and bucket tokens, significantly reducing recoverability across models (e.g., improvements in exact secret recovery from 9–24% to 19–43% depending on model) while preserving fluency. Because traditional distributional steganalysis is ill-suited for fine-tuning attacks, the authors develop a mechanistic detection approach using linear probes on late-layer activations, uncovering internal signatures that indicate steganographic encoding with up to a 33% gain in detection accuracy over base models. They also show that a secret-conditioned XOR masking control can obfuscate output-level recoverability, while internal probes still reveal traces of steganographic fine-tuning, highlighting the potential for internal-state–based defenses. The work advances both offensive techniques and defensive mechanisms for detecting malicious fine-tuning in deployed LLMs, with practical implications for model providers and secure deployments.

Abstract

Fine-tuned LLMs can covertly encode prompt secrets into outputs via steganographic channels. Prior work demonstrated this threat but relied on trivially recoverable encodings. We formalize payload recoverability via classifier accuracy and show previous schemes achieve 100\% recoverability. In response, we introduce low-recoverability steganography, replacing arbitrary mappings with embedding-space-derived ones. For Llama-8B (LoRA) and Ministral-8B (LoRA) trained on TrojanStego prompts, exact secret recovery rises from 1730\% (+78\%) and 2443\% (+80\%) respectively, while on Llama-70B (LoRA) trained on Wiki prompts, it climbs from 919\% (+123\%), all while reducing payload recoverability. We then discuss detection. We argue that detecting fine-tuning-based steganographic attacks requires approaches beyond traditional steganalysis. Standard approaches measure distributional shift, which is an expected side-effect of fine-tuning. Instead, we propose a mechanistic interpretability approach: linear probes trained on later-layer activations detect the secret with up to 33\% higher accuracy in fine-tuned models compared to base models, even for low-recoverability schemes. This suggests that malicious fine-tuning leaves actionable internal signatures amenable to interpretability-based defenses.
Paper Structure (46 sections, 2 theorems, 19 equations, 5 figures, 5 tables)

This paper contains 46 sections, 2 theorems, 19 equations, 5 figures, 5 tables.

Key Result

Theorem 7.1

$\mathbb{E}_{t^\star}[D_{\mathrm{KL}}(Q(\cdot|c) \| P(\cdot|c))] \geq \frac{n-1}{n} \mathbb{E}_{t^\star}[\log(1/Z_{t^\star})]$, where $Z_{t^\star} = (k+1)r + \sum_{t \in \mathcal{U}} p_t$. Here $r = (p_{t^\star} \cdot \prod_{t \in \mathcal{C}} p_t)^{1/(k+1)}$ is the geometric mean of the pooled prob

Figures (5)

  • Figure 1: Overview of the steganographic attack. Given a prompt containing a secret, we are able to convert this secret into a bit stream (to see how, view \ref{['fig:encoding']}). The fine-tuned model, unlike a standard model, then generates fluent text where each token's bucket assignment matches the target bit sequence.
  • Figure 2: Payload recoverability of steganographic schemes. TrojanStego lies in the upper-right corner (perfect recoverability); those that include our geometric bucketing scheme achieve lower recoverability on both axes.
  • Figure 3: Hyperplane projection for encoding and bucketing. (a) Two hyperplanes partition letter embeddings, assigning each letter a unique 2-bit code. In practice, we use 8 hyperplanes for 26 letters to ensure collision-free encoding. (b) A seed-dependent hyperplane partitions token embeddings into buckets $\mathcal{V}_0$ and $\mathcal{V}_1$.
  • Figure 4: Text quality metrics for steganographic outputs on both datasets and across all encodings (see \ref{['tab:accuracy_improvement']} for abbreviations).
  • Figure 5: Mechanistic detection via linear probes. Top: Probe quality across layers. Top row shows the % of correctly predicted bits, while bottom row shows cosine similarity between true and recovered secret embedding. Bottom: Final layer performance for both bit detection and embedding recovery (see \ref{['tab:accuracy_improvement']} for abbreviations).

Theorems & Definitions (7)

  • Definition 3.1: Payload Recoverability
  • Theorem 7.1: KL lower bound for argmax promotion
  • proof
  • Theorem 7.2: Per-token perplexity lower bound (uniform $n$-bucket targets)
  • proof
  • proof
  • proof