Logo
ScienceStack
Table of Contents
Fetching ...
Sign In

Safeguarding LLMs Against Misuse and AI-Driven Malware Using Steganographic Canaries

Md Raz, Venkata Sai Charan Putrevu, Meet Udeshi, Prashanth Krishnamurthy, Farshad Khorrami, Ramesh Karri

Abstract

AI-powered malware increasingly exploits cloud-hosted generative-AI services and large language models (LLMs) as analysis engines for reconnaissance and code generation. Simultaneously, enterprise uploads expose sensitive documents to third-party AI vendors. Both threats converge at the AI service ingestion boundary, yet existing defenses focus on endpoints and network perimeters, leaving organizations with limited visibility once plaintext reaches an LLM service. To address this, we present a framework based on steganographic canary files: realistic documents carrying cryptographically derived identifiers embedded via complementary encoding channels. A pre-ingestion filter extracts and verifies these identifiers before LLM processing, enabling passive, format-agnostic detection without semantic classification. We support two modes of operation where Mode A marks existing sensitive documents with layered symbolic encodings (whitespace substitution, zero-width character insertion, homoglyph substitution), while Mode B generates synthetic canary documents using linguistic steganography (arithmetic coding over GPT-2), augmented with compatible symbolic layers. We model increasing document pre-processing and adversarial capability for both modes via a four-tier transport-transform taxonomy: All methods achieve 100% identifier recovery under benign and sanitization workflows (Tiers 1-2). The hybrid Mode B maintains 97% through targeted adversarial transforms (Tier 3). An end-to-end case study against an LLM-orchestrated ransomware pipeline confirms that both modes detect and block canary-bearing uploads before file encryption begins. To our knowledge, this is the first framework to systematically combine symbolic and linguistic text steganography into layered canary documents for detecting unauthorized LLM processing, evaluated against a transport-threat taxonomy tailored to AI malware.

Safeguarding LLMs Against Misuse and AI-Driven Malware Using Steganographic Canaries

Abstract

AI-powered malware increasingly exploits cloud-hosted generative-AI services and large language models (LLMs) as analysis engines for reconnaissance and code generation. Simultaneously, enterprise uploads expose sensitive documents to third-party AI vendors. Both threats converge at the AI service ingestion boundary, yet existing defenses focus on endpoints and network perimeters, leaving organizations with limited visibility once plaintext reaches an LLM service. To address this, we present a framework based on steganographic canary files: realistic documents carrying cryptographically derived identifiers embedded via complementary encoding channels. A pre-ingestion filter extracts and verifies these identifiers before LLM processing, enabling passive, format-agnostic detection without semantic classification. We support two modes of operation where Mode A marks existing sensitive documents with layered symbolic encodings (whitespace substitution, zero-width character insertion, homoglyph substitution), while Mode B generates synthetic canary documents using linguistic steganography (arithmetic coding over GPT-2), augmented with compatible symbolic layers. We model increasing document pre-processing and adversarial capability for both modes via a four-tier transport-transform taxonomy: All methods achieve 100% identifier recovery under benign and sanitization workflows (Tiers 1-2). The hybrid Mode B maintains 97% through targeted adversarial transforms (Tier 3). An end-to-end case study against an LLM-orchestrated ransomware pipeline confirms that both modes detect and block canary-bearing uploads before file encryption begins. To our knowledge, this is the first framework to systematically combine symbolic and linguistic text steganography into layered canary documents for detecting unauthorized LLM processing, evaluated against a transport-threat taxonomy tailored to AI malware.

Paper Structure

This paper contains 66 sections, 10 figures, 12 tables.

Table of Contents

  1. Introduction
  2. Background and Related Work
  3. AI-Powered Adversaries
  4. The LLM Data Exfiltration Channel
  5. Existing Defenses and Limitations
  6. Canary Files and Deception-Based Defenses
  7. Text Steganography
  8. Symbolic steganography
  9. Linguistic steganography
  10. File-Format-level and Output Marking
  11. Positioning Our Work
  12. Threat Model
  13. Scenario
  14. Adversary Model
  15. Transport-Transform Taxonomy
  16. ...and 51 more sections

Figures (10)

  • Figure 1: Overview: steganographic canary files detect unauthorized document submission to AI services at the ingestion boundary, before LLM processing occurs.
  • Figure 2: Threat model scenario showing the two motivating threat pathways (AI adversaries and insider/incidental upload), along with the framework encompassing the seeded canary files within the organizational boundary and steganographic identifier extraction / verification within the vendor-side detection boundary.
  • Figure 3: Framework pipeline overview including encoding stacks, possible transforms, and inverse decoding. Any verified recovery constitutes detection.
  • Figure 4: Pseudocode for symbolic (left) and linguistic (right) encoding families. Both produce a self-delimiting framed payload recoverable without external metadata.
  • Figure 5: Uniform function interface implemented by all embedding methods, characterized by function name, input arguments, and return objects.
  • ...and 5 more figures