NeuralForensic: Latent Space Activation Auditing for Open-Source Model Supply Chains

Vaniya Dhillon, Dipanshu Thakur , Mrinal Meena

We built NeuralForensic, a compute-efficient runtime safety verification framework that identifies weight-poisoning, malicious fine-tunes, and compromised adapters at inference time.

By registering a non-destructive forward tensor hook at Layer 15 of a target architecture (Phi-3-mini), our pipeline intercepts intermediate representations and uses Principal Component Analysis (PCA) alongside density-based clustering (DBSCAN) to flag anomalies.

Our empirical evaluations demonstrate that a backdoored model forces an internal latent variance explosion from 0.18 to 86.20 even when evaluated on clean, trigger-free prompts.

Finally, the framework includes an optimization-based gradient inversion script to reverse-engineer semantic approximations of hidden triggers, visualizing the entire live diagnostic feed inside an interactive web dashboard.

Reviewer's Comments

Reviewer's Comments

Arrow
Arrow
Arrow

The research direction — using latent space geometry to detect backdoored adapters without behavioral triggers — is well-motivated and practically important. The dashboard and interactive visualization are nice engineering additions. However, the core experimental design has a significant validity problem that the team should address: the clean baseline (Model A) is microsoft/Phi-2 and the poisoned model (Model B) is microsoft/Phi-3-mini-4k-instruct. These are different architecture families with different hidden dimensions, training data, and representational geometry. The massive PCA variance spike (0.18->86.20) and the clustering divergence you observe are likely explained in part or entirely by architectural differences, not by the backdoor. A fair comparison requires the same base model as both clean and poisoned architectures — take Phi-3-mini clean, inject the backdoor via LoRA, and compare those two. The current setup cannot attribute the geometric differences to the backdoor.

Additional concerns: (1) Single-layer probing at Layer 15 is heuristic — ablation across multiple layers would strengthen the claim. (2) The 5% poisoning ratio with no held-out test split means the detection result has no held-out validation. (3) The trigger inversion output ("folderszw restrictions Saturday") would benefit from a semantic proximity analysis showing how close it is to the ground-truth trigger, not just the loss curve.

This is promising work with a real product direction. The fix is not complex — re-run the experiment with same-architecture clean vs. poisoned comparison — and it would substantially change the evidential strength of the headline numbers.

The core empirical result here is striking and worth taking seriously: a backdoored model's latent variance along PC1 jumps from 0.18 to 86.20 on completely benign, trigger-free prompts. If this generalizes, it means you don't need to guess the trigger to detect that something is wrong you just need a clean reference model and 500 forward passes. That's a genuinely useful operational finding for supply-chain auditing.

The main weakness is that the experimental setup is somewhat narrow in ways that matter for the claimed generalizability. The comparison is between Phi-3-mini (poisoned) and Phi-2 (clean control) two different model architectures, not the same model pre- and post-poisoning. This means the variance spike could partly reflect architectural differences rather than the backdoor alone. A cleaner design would use the same base model with and without the LoRA adapter. Additionally, the 5% poisoning ratio and the specific trigger phrase are design choices that strongly affect how detectable the backdoor is; it would be worth testing whether the PCA signal degrades gracefully at 1% poisoning or with more subtle triggers. The gradient inversion result ("folderszw restrictions Saturdayğ") is presented as a near-success, but the deviation from the ground-truth trigger is substantial enough that the practical utility for auditing teams is unclear recovering the thematic neighborhood is useful, but the paper should be more precise about what "semantic approximation" means operationally. The dashboard demo is a nice touch and makes the work accessible. This team has identified a promising detection signal; the next step is a more controlled ablation study.

Strong problem choice and a remarkably complete artifact — working pipeline, dashboard, and clear threat model. One structural issue dominates everything else:

Your control and poisoned models are different architectures — Phi-2 vs Phi-3-mini (Table A2). So the 0.18→86.20 variance spike can't be attributed to the backdoor; it's confounded with the model change. This also contradicts the "identically structured" claim in §4.1/§5.1. Fix: train a clean and poisoned LoRA on the same base model.

Add a clean-vs-clean baseline so we know whether 86.20 is anomalous or normal run-to-run variation.

Normalize the PCA variance — raw unitless numbers across two models aren't comparable.

Trigger recovery ("folderszw restrictions Saturdayğ") doesn't match the real trigger ([alpha-omega-override]); report it as a partial/failed result rather than a "semantic approximation."

Fix config contradictions — LoRA rank (8 vs 16), alpha (16 vs 32), and target modules differ between text and appendix.

Tone down the hype ("breakthrough," "critical verdict"); plain claims read as more rigorous.

This project targets an important and practical AI safety problem: detecting hidden backdoors in open-source models and adapters before deployment. The emphasis on latent-space auditing rather than output-only behavioral testing is well motivated, and the project is especially relevant for supply-chain risk in open-weight ecosystems. The idea of combining activation extraction, PCA/DBSCAN anomaly detection, and trigger inversion into a lightweight forensic workflow is useful and accessible.

The strongest part of the work is the clear end-to-end prototype. The paper describes a concrete poisoned-adapter setup, forward-hook activation capture, dimensionality reduction, clustering, and an attempted trigger-recovery step. The dashboard/repository angle also makes the work more practically usable than a purely conceptual proposal.

The main concern is empirical rigor. The results appear to rely on a very small controlled setup, one backdoor type, one probing layer, one prompt distribution, and limited model coverage. The clean and poisoned models also appear not to be perfectly matched in the appendix: Model A is listed as Phi-2 while Model B is Phi-3-mini, which makes the latent variance comparison difficult to interpret because architecture/model differences could explain much of the geometry shift. A stronger evaluation would compare the same base model with and without the poisoned LoRA, include multiple random clean LoRAs as controls, and test across several trigger types and poisoning rates.

Several claims should be softened. The paper says the backdoor leaves a “persistent structural fingerprint” visible on benign prompts, but it has not yet shown this generalizes beyond the specific synthetic poisoning setup. The DBSCAN thresholds also look hand-selected, and the clean model already has a high outlier ratio, so the anomaly rule needs calibration and false-positive analysis. The trigger inversion output is only loosely related to the true trigger, so it should be presented as exploratory evidence rather than successful trigger extraction.

Overall, this is a promising hackathon prototype with a strong safety motivation and a useful implementation direction, but it needs tighter experimental controls and broader validation before the central detection claim is convincing.

Cite this work

@misc {

title={

(HckPrj) NeuralForensic: Latent Space Activation Auditing for Open-Source Model Supply Chains

},

author={

Vaniya Dhillon, Dipanshu Thakur , Mrinal Meena

},

date={

},

organization={Apart Research},

note={Research submission to the research sprint hosted by Apart.},

howpublished={https://apartresearch.com}

}

Recent Projects

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

PROTEUS (PROTein Evaluation for Unusual Sequences): Structure-Informed Safety Screening for de novo and Evasion-Prone Protein-Coding Sequences

AI protein design tools like RFdiffusion, ProteinMPNN, and Bindcraft make it trivial to produce low-homology sequences that fold into active, potentially hazardous architectures. However, sequence homology-based biosafety screening tools cannot detect proteins that pose functional risk through structurally novel mechanisms with no sequence precedent. We present a tiered computational pipeline that addresses this gap by combining MMseqs2 sequence alignment with structure-based comparison via FoldSeek and DALI against curated toxin databases totaling ~34,000 entries. AlphaFold2-predicted structures are screened for both global fold similarity (FoldSeek) and local active/allosteric site geometry (DALI), capturing convergent functional hazards that sequence screening misses. The pipeline was validated against a panel of toxins, benign proteins, structural mimics, and de novo-designed Munc13 binders, as well as modified ricin variants with residue substitutions. We additionally tested robustness to partial-synthesis evasion, where a bad actor submits multiple shorter coding sequences intended for downstream reassembly into a full toxin-coding gene. We found that while sequence-based screening did not identify any de novo ricin analogues with high certainty, the combined pipeline with FoldSeek and DALI identified all 24 tested de novo ricins as toxic.

Read More

OliGraph: graph-based screening of large oligopools

Existing synthesis screening tools cannot evaluate short oligonucleotide pools, whose overlapping fragments can be reassembled into regulated sequences via polymerase cycling assembly (PCA) yet fall below gene-length detection thresholds. We present OliGraph, an open-source tool that constructs a bi-directed overlap graph from an oligonucleotide pool and extracts contigs for downstream gene-length screening. An optional PCA mode retains only cross-strand overlaps consistent with PCA chemistry. We validated OliGraph in a blinded study across ten simulated pools (70–9,184 oligonucleotides, 30–300 bp) spanning four risk categories. BLAST screening of individual oligonucleotides failed to identify sequences of concern in most pools: three returned zero hits, and vector noise obscured true positives in the remainder. After OliGraph assembly, contig-level BLAST matched the longest assembled sequences (up to 1,905 bp) to sequences of concern at 97–100% identity. In one pool, assembly collapsed 1,634 individual BLAST results into 10 hits from a single contig, all assigned to the same source organism. PCA mode correctly distinguished assemblable from non-assemblable fragments within the same pool. Two pools with no assemblable structure yielded no contigs. OliGraph processed all pools in under 0.2 seconds, fast enough for real-time order screening and consistent with proposals to bring oligonucleotide orders within the scope of synthesis screening regulation.

Read More

BioRT-Bench: A Multi-Attack Red-Teaming Benchmark for Bio-Misuse Safeguards in Frontier LLMs

Frontier AI laboratories are expected to maintain safeguards against biological misuse, but whether deployed models actually refuse bio-misuse queries under adversarial pressure is largely unmeasured in the public literature. We introduce BioRT-Bench, a benchmark that runs four attack methods (direct request, PAIR, Crescendo, and base64 encoding) against four frontier models (Claude Sonnet 4.6, GPT-5.4, DeepSeek V4-flash, Kimi K2.5) across 40 prompts spanning five biosecurity-relevant categories. Responses are scored by a calibrated judge extending StrongREJECT with two bio-specific dimensions: specificity and actionability. We measure Attack Success Rate (ASR), where 0 means the model fully refused and 1 means it provided specific, actionable bio-misuse content. Our results reveal a sharp robustness divide: Chinese frontier models (DeepSeek, Kimi) have under 5% refusal rates even under direct request (ASR 0.88 and 0.79), while Western models (Claude, GPT) maintain substantially stronger safeguards (ASR 0.15 and 0.16). Crescendo is the most effective attack across all models, both in bypassing refusal and in eliciting actionable content. Claude Sonnet 4.6 is the most robust model tested, achieving 100% refusal against base64-encoded prompts.

Read More

This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.
This work was done during one weekend by research workshop participants and does not represent the work of Apart Research.