Limiting model learning to trusted LoRA adapters

When a model is on new data, poisoned data can secretly add hidden behavior that appears only after a specific phrase or pattern. The proposed method limits how the model is allowed to change, so it can only move within the range expressed by trusted . Useful customization can still happen, but some harmful update directions become unreachable by design.

In a company setting, a model may be on user data, outside data, or generated data, and even a small amount of poisoned data could create a . This approach does not try to detect every bad data point; it narrows the space of updates the model is allowed to learn. The same idea could apply to a local or on-device assistant that keeps adapting to its user, letting it change only within behavior patterns already covered by a trusted pool of adapters.

The approach was tested on 196 public , including built to bypass the defense.

Key points

  • Poisoned data can create hidden behavior triggered by a phrase or pattern.
  • The defense limits what model updates are possible instead of trying to find every poisoned example.
  • Trusted define the allowed space for model changes.
  • The idea is relevant to company models and on-device that keep adapting over time.
  • The test used 196 public and included .
Read original