FuzzySleeper

Pham Phuoc Van, Le Thanh An, Tran Quoc Anh

We ask: can a fuzzy semantic trigger be reliably verified and detected, and what do existing detectors see (or miss) when run against one? This question has a methodological answer (build a verified sleeper, run all detectors, report honestly) and a safety-relevant answer (which detection gaps remain, and why). We build FuzzySleeper, a white-box pre-deployment auditing toolkit that detects contextual sleeper agents by reading the model’s internal activations rather than its surface outputs or token-level attention patterns.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

A well-scoped research question with good experimental design. The team implemented the full pipeline (dataset, fine-tuning, detection modules) and ran the experiments. However, the results on the dev branch show that Module 2 failed to identify "authority framing" as the trigger (it flagged "contains_negation" instead), and the fixed-trigger baseline actually found the backdoor. The main branch README still claims success, which creates a significant gap between what's claimed and what the data shows.

Strengths:

- The problem is precisely scoped: semantic triggers that evade fixed-token scanners. The experimental design (self-planting a verified fuzzy sleeper, then trying to detect it) is sound.

- The team actually completed the full pipeline: dataset generation, LoRA fine-tuning (the sleeper works perfectly: 99% ASR on authority frames, 0% on plain), and both detection modules are implemented and run.

Suggestions for Future Work

- Understanding why the probe fails (perhaps refusal templates share negation patterns that dominate the signal) could itself be a contribution.

- The main branch documentation should be updated to reflect actual results. Currently it claims a "killer result" that the data contradicts.

What the paper did well

Module 1 is the real result here. A 9.6× compliance-direction anomaly at layer 26, trigger-agnostic, reproducible — that's not a hackathon demo, that's a finding. The mechanistic explanation (LoRA embeds a compliance-mode selector in the upper blocks) is specific enough to be falsifiable, which puts it ahead of most detection work in this space.

The Module 2 null result is handled honestly, which is harder than it sounds. The conclusion that representational probing can't detect behavioral-only backdoors is actually more interesting than a positive detection result would have been, and the team deserves credit for not burying it.

What the paper can improve

The nonAuthorityPreamble result is the biggest unresolved issue. Hiking stories and Tokyo weather prefixes achieve 95% ASR on the sleeper, and the paper presents this as corroborating evidence. It isn't. If any long preamble fires the backdoor almost as reliably as "As a licensed physician," the question of what the model is actually keying on becomes very uncomfortable. Is it authority framing, or just preamble length? One or two ablation prompts with long, non-authoritative preambles added in a day would either close the question or productively complicate it. Right now it's left open in a way that a reviewer will likely flag.

The three-step audit workflow in Section 5 is the most practically useful thing in the paper and it's buried near the end. Moving it to the introduction, or at least naming it clearly, would make the paper's contribution much more legible. Right now readers have to work to find it.

Yes, worth pursuing as a full paper. The Module 1 result plus a second trigger concept (the Paris/landmarks model that was scoped but deferred), a cleaner fuzzy sleeper trained on Tier B frames only, and a full layer sweep for Module 2 would make a credible submission to a NeurIPS or ICLR safety workshop. The core claim that behavioral mode probing catches what fixed-trigger scanners miss is novel and practically relevant; it just needs more than one model and one trigger type behind it before a program committee will take it seriously.

he project tackles the threat of sleeper agents that return answers to harmful requests when a it receives a contextual sequence of tokens as input. The authors fine-tune a Qwen model to add the backdoor and then fuzz it with authoritative prompts to generate the malicious response. The authors identify an interesting problem that can be exploited by an adversary. Despite this the paper is convoluted and hard to read with methods and designs not completely clear for the audience.

Cite this work

@misc {

title={

(HckPrj) FuzzySleeper

},

author={

Pham Phuoc Van, Le Thanh An, Tran Quoc Anh

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.