Protein Embedding-Based Detection of Sequence-Diverse Biosecurity Threats

Good problem selection - we should be developing more AI based tools for sequence screening. Cool 2-component AI methodology in using Protein-MPNN to generate potential sequences and then generating embeddings for these sequences, which was a cool idea. It was a shame that more results couldn’t be produced.

Couple pointers (apologies if it’s a bit terse):

Figure 1 was goofy and didn’t add much, and especially as you are recreating it from another publication I think this wasn’t necessary.

I had some confusion about what was in your dataset. Initially you said that you were using ‘toxins’ as test cases for dangerous sequences, which seemed reasonable. But then you afterwards mention several more ‘toxins’ as SARS-CoV-2/Sindbis/Influenza. These are very much not toxins, these are viruses. Overall I was kind of confused about what was actually in your data.

The data don’t look particularly promising (?). The PCA plots sort of look like everything smooshes together to me, rather than cluster nicely as you suggest. And why would they? The data selection doesn’t seem particularly well considered - I do not see what biological basis we could have to expect that a completely sequence-redesigned influenza NP protein would cluster in a similar space as a redesigned Cholera toxin, or anything from the database you cite (https://www.uniprot.org/keywords/KW-0800). There’s no such thing as ‘toxin space’ vs ‘non-toxin space’, so the first PCA is a bit mute imo.

It’s always a good idea to ask 1) what is the simplest experiment I can do and 2) what is an obvious benchmark to test against. Making fancy LLM embeddings of proteins is…fancy. What would happen if you just made a one-hot encoding? Would that actually perform better than the fancy high-dimensional embeddings? You did better on point 2) using SecureDNA as a screening tool comparison

If I’m not mistaken, you don’t actually show any data on how accurately your embeddings could flag redesigned sequences? Seems like you ran out of time and ran into compute constraints - hope you manage to see the project through to more completion!

Limitations you missed/should have expanded on more:

Ultimately, we don’t know whether Protein-MPNN is spitting out credible structures unless we make them and test them empirically. You mentioned that we cannot know whether end functionality (e.g. virulence) is retained, but I think we also have to be cautious about saying that the underlying 3D structure would also be preserved, without much empirical evidence (and when we do have evidence, this is heavily curated).

Could you pare things down to just select agents that are known to be screened against? Rather than using SecureDNA with loads toxins.

You use ORFs, but there are plenty of ‘danger signal’ sequences not in ORFs - particularly in viral UTRs - that you wouldn’t (and couldn’t) have modelled here.

You have identified a clear problem area and provided a conceptual solution. I do think more time could have been used either researching or referencing past work to complement yours though. As examples:

- https://biolm.ai/models/biolmtox2/

- https://www.biorxiv.org/content/10.1101/2024.12.02.626439v1

- https://www.biorxiv.org/content/10.1101/2024.07.05.602129v1.full

Your paper was easy to understand, and you highlighted limitations and dual-use concerns, which is very important. I do think more caution should be used as some claims or language surrounding claims were either unclear, or exaggerated. As examples, "variants with 0-60% sequence identity while preserving the original three-dimensional structure" it was not clear how 3-D structure was validated, and "provides strong evidence that ESM2 embeddings capture functional signatures" sounds very strong relative to no functional validation being done given the short time you had.

This project addresses an important gap in biosecurity, namely whether modern protein engineering methods are able to bypass DNA screening, and how to recognize them. It correctly poses the problem of recognizing that similarity of sequences does not imply similarity of function, which matches the actual challenge related to ProteinMPNN-type attacks on current systems. Using ProteinMPNN for generation, ESM2 for encoding, and SecureDNA as a base system is a good choice. The main result is strong, with the identification of sequence-based diverse variants clustering together with toxins in embedding space, especially the quantitatively strong finding of 2361/2440 variants falling near the toxin cluster. Comparing the SecureDNA system to its failure at recognizing redesigned variants and getting 0% detection success makes the results even more relevant, but there is a strong dual-use case of this methodology. The two-stage process of homology and embeddings positions embedding techniques as complementary to existing systems, not replacing them at all, which is great.

Where it could be stronger: The core idea, that is embeddings capture functional similarity beyond sequence, is already quite established. I also found the classifier a bit too simplistic, although this could be improved if the project was further pursued. Also, scalability and deployment are not deeply addressed. ESM2-650M embeddings are computationally expensive and there is no discussion of throughput constraints and real-time feasibility projections. Lastly, I found the first image to be simply unnecessary.