Hasil untuk "Toxicology. Poisons"

Chunyang Li, Junwei Zhang, Anda Cheng et al.

Retrieval-Augmented Generation (RAG) enhances large language models (LLMs) by incorporating external knowledge, but its openness introduces vulnerabilities that can be exploited by poisoning attacks. Existing poisoning methods for RAG systems have limitations, such as poor generalization and lack of fluency in adversarial texts. In this paper, we propose CPA-RAG, a black-box adversarial framework that generates query-relevant texts capable of manipulating the retrieval process to induce target answers. The proposed method integrates prompt-based text generation, cross-guided optimization through multiple LLMs, and retriever-based scoring to construct high-quality adversarial samples. We conduct extensive experiments across multiple datasets and LLMs to evaluate its effectiveness. Results show that the framework achieves over 90\% attack success when the top-k retrieval setting is 5, matching white-box performance, and maintains a consistent advantage of approximately 5 percentage points across different top-k values. It also outperforms existing black-box baselines by 14.5 percentage points under various defense strategies. Furthermore, our method successfully compromises a commercial RAG system deployed on Alibaba's BaiLian platform, demonstrating its practical threat in real-world applications. These findings underscore the need for more robust and secure RAG frameworks to defend against poisoning attacks.

Enrique Mármol Campos, Aurora González Vidal, José Luis Hernández Ramos et al.

Federated Learning (FL) has become a powerful technique for training Machine Learning (ML) models in a decentralized manner, preserving the privacy of the training datasets involved. However, the decentralized nature of FL limits the visibility of the training process, relying heavily on the honesty of participating clients. This assumption opens the door to malicious third parties, known as Byzantine clients, which can poison the training process by submitting false model updates. Such malicious clients may engage in poisoning attacks, manipulating either the dataset or the model parameters to induce misclassification. In response, this study introduces FLAegis, a two-stage defensive framework designed to identify Byzantine clients and improve the robustness of FL systems. Our approach leverages symbolic time series transformation (SAX) to amplify the differences between benign and malicious models, and spectral clustering, which enables accurate detection of adversarial behavior. Furthermore, we incorporate a robust FFT-based aggregation function as a final layer to mitigate the impact of those Byzantine clients that manage to evade prior defenses. We rigorously evaluate our method against five poisoning attacks, ranging from simple label flipping to adaptive optimization-based strategies. Notably, our approach outperforms state-of-the-art defenses in both detection precision and final model accuracy, maintaining consistently high performance even under strong adversarial conditions.

Pankayaraj Pathmanathan, Michael-Andrei Panaitescu-Liess, Cho-Yu Jason Chiang et al.

Retrieval-Augmented Generation (RAG) has emerged as a promising paradigm to enhance large language models (LLMs) with external knowledge, reducing hallucinations and compensating for outdated information. However, recent studies have exposed a critical vulnerability in RAG pipelines corpus poisoning where adversaries inject malicious documents into the retrieval corpus to manipulate model outputs. In this work, we propose two complementary retrieval-stage defenses: RAGPart and RAGMask. Our defenses operate directly on the retriever, making them computationally lightweight and requiring no modification to the generation model. RAGPart leverages the inherent training dynamics of dense retrievers, exploiting document partitioning to mitigate the effect of poisoned points. In contrast, RAGMask identifies suspicious tokens based on significant similarity shifts under targeted token masking. Across two benchmarks, four poisoning strategies, and four state-of-the-art retrievers, our defenses consistently reduce attack success rates while preserving utility under benign conditions. We further introduce an interpretable attack to stress-test our defenses. Our findings highlight the potential and limitations of retrieval-stage defenses, providing practical insights for robust RAG deployments.

Zhou Feng, Jiahao Chen, Chunyi Zhou et al.

Backdoor attacks embed malicious triggers into training data, enabling attackers to manipulate neural network behavior during inference while maintaining high accuracy on benign inputs. However, existing backdoor attacks face limitations manifesting in excessive reliance on training data, poor stealth, and instability, which hinder their effectiveness in real-world applications. Therefore, this paper introduces ShadowPrint, a versatile backdoor attack that targets feature embeddings within neural networks to achieve high ASRs and stealthiness. Unlike traditional approaches, ShadowPrint reduces reliance on training data access and operates effectively with exceedingly low poison rates (as low as 0.01%). It leverages a clustering-based optimization strategy to align feature embeddings, ensuring robust performance across diverse scenarios while maintaining stability and stealth. Extensive evaluations demonstrate that ShadowPrint achieves superior ASR (up to 100%), steady CA (with decay no more than 1% in most cases), and low DDR (averaging below 5%) across both clean-label and dirty-label settings, and with poison rates ranging from as low as 0.01% to 0.05%, setting a new standard for backdoor attack capabilities and emphasizing the need for advanced defense strategies focused on feature space manipulations.

Viet Pham, Thai Le

Large Language Models (LLMs) are increasingly deployed via third-party system prompts downloaded from public marketplaces. We identify a critical supply-chain vulnerability: conditional system prompt poisoning, where an adversary injects a ``sleeper agent'' into a benign-looking prompt. Unlike traditional jailbreaks that aim for broad refusal-breaking, our proposed framework, SPECTRE, optimizes system prompts to trigger LLMs to output targeted, compromised responses only for specific queries (e.g., ``Who should I vote for the US President?'') while maintaining high utility on benign inputs. Operating in a strict black-box setting without model weight access, SPECTRE utilizes a two-stage optimization including a global semantic search followed by a greedy lexical refinement. Tested on open-source models and commercial APIs (GPT-4o-mini, GPT-3.5), SPECTRE achieves up to 70% F1 reduction on targeted queries with minimal degradation to general capabilities. We further demonstrate that these poisoned prompts evade standard defenses, including perplexity filters and typo-correction, by exploiting the natural noise found in real-world system prompts. Our code and data are available at https://github.com/vietph34/CAIN. WARNING: Our paper contains examples that might be sensitive to the readers!

Haorui He, Yupeng Li, Bin Benjamin Zhu et al.

State-of-the-art (SOTA) fact-checking systems combat misinformation by employing autonomous LLM-based agents to decompose complex claims into smaller sub-claims, verify each sub-claim individually, and aggregate the partial results to produce verdicts with justifications (explanations for the verdicts). The security of these systems is crucial, as compromised fact-checkers can amplify misinformation, but remains largely underexplored. To bridge this gap, this work introduces a novel threat model against such fact-checking systems and presents \textsc{Fact2Fiction}, the first poisoning attack framework targeting SOTA agentic fact-checking systems. Fact2Fiction employs LLMs to mimic the decomposition strategy and exploit system-generated justifications to craft tailored malicious evidences that compromise sub-claim verification. Extensive experiments demonstrate that Fact2Fiction achieves 8.9\%--21.2\% higher attack success rates than SOTA attacks across various poisoning budgets and exposes security weaknesses in existing fact-checking systems, highlighting the need for defensive countermeasures.

Somayeh Kianpisheh, Chafika Benzaid, Tarik Taleb

Federated Learning (FL) enables training of a global model from distributed data, while preserving data privacy. However, the singular-model based operation of FL is open with uploading poisoned models compatible with the global model structure and can be exploited as a vulnerability to conduct model poisoning attacks. This paper proposes a multi-model based FL as a proactive mechanism to enhance the opportunity of model poisoning attack mitigation. A master model is trained by a set of slave models. To enhance the opportunity of attack mitigation, the structure of client models dynamically change within learning epochs, and the supporter FL protocol is provided. For a MEC system, the model selection problem is modeled as an optimization to minimize loss and recognition time, while meeting a robustness confidence. In adaption with dynamic network condition, a deep reinforcement learning based model selection is proposed. For a DDoS attack detection scenario, results illustrate a competitive accuracy gain under poisoning attack with the scenario that the system is without attack, and also a potential of recognition time improvement.

Sunay Bhat, Jeffrey Jiang, Omead Pooladzandi et al.

Train-time data poisoning attacks threaten machine learning models by introducing adversarial examples during training, leading to misclassification. Current defense methods often reduce generalization performance, are attack-specific, and impose significant training overhead. To address this, we introduce a set of universal data purification methods using a stochastic transform, $Ψ(x)$, realized via iterative Langevin dynamics of Energy-Based Models (EBMs), Denoising Diffusion Probabilistic Models (DDPMs), or both. These approaches purify poisoned data with minimal impact on classifier generalization. Our specially trained EBMs and DDPMs provide state-of-the-art defense against various attacks (including Narcissus, Bullseye Polytope, Gradient Matching) on CIFAR-10, Tiny-ImageNet, and CINIC-10, without needing attack or classifier-specific information. We discuss performance trade-offs and show that our methods remain highly effective even with poisoned or distributionally shifted generative model training data.

Yu Jiang, Jiyuan Shen, Ziyao Liu et al.

Federated learning (FL) is vulnerable to poisoning attacks, where malicious clients manipulate their updates to affect the global model. Although various methods exist for detecting those clients in FL, identifying malicious clients requires sufficient model updates, and hence by the time malicious clients are detected, FL models have been already poisoned. Thus, a method is needed to recover an accurate global model after malicious clients are identified. Current recovery methods rely on (i) all historical information from participating FL clients and (ii) the initial model unaffected by the malicious clients, leading to a high demand for storage and computational resources. In this paper, we show that highly effective recovery can still be achieved based on (i) selective historical information rather than all historical information and (ii) a historical model that has not been significantly affected by malicious clients rather than the initial model. In this scenario, while maintaining comparable recovery performance, we can accelerate the recovery speed and decrease memory consumption. Following this concept, we introduce Crab, an efficient and certified recovery method, which relies on selective information storage and adaptive model rollback. Theoretically, we demonstrate that the difference between the global model recovered by Crab and the one recovered by train-from-scratch can be bounded under certain assumptions. Our empirical evaluation, conducted across three datasets over multiple machine learning models, and a variety of untargeted and targeted poisoning attacks reveals that Crab is both accurate and efficient, and consistently outperforms previous approaches in terms of both recovery speed and memory consumption.

Quan Zhang, Binqi Zeng, Chijin Zhou et al.

Presently, with the assistance of advanced LLM application development frameworks, more and more LLM-powered applications can effortlessly augment the LLMs' knowledge with external content using the retrieval augmented generation (RAG) technique. However, these frameworks' designs do not have sufficient consideration of the risk of external content, thereby allowing attackers to undermine the applications developed with these frameworks. In this paper, we reveal a new threat to LLM-powered applications, termed retrieval poisoning, where attackers can guide the application to yield malicious responses during the RAG process. Specifically, through the analysis of LLM application frameworks, attackers can craft documents visually indistinguishable from benign ones. Despite the documents providing correct information, once they are used as reference sources for RAG, the application is misled into generating incorrect responses. Our preliminary experiments indicate that attackers can mislead LLMs with an 88.33\% success rate, and achieve a 66.67\% success rate in the real-world application, demonstrating the potential impact of retrieval poisoning.

Jiawei Liang, Siyuan Liang, Aishan Liu et al.

The proliferation of face forgery techniques has raised significant concerns within society, thereby motivating the development of face forgery detection methods. These methods aim to distinguish forged faces from genuine ones and have proven effective in practical applications. However, this paper introduces a novel and previously unrecognized threat in face forgery detection scenarios caused by backdoor attack. By embedding backdoors into models and incorporating specific trigger patterns into the input, attackers can deceive detectors into producing erroneous predictions for forged faces. To achieve this goal, this paper proposes \emph{Poisoned Forgery Face} framework, which enables clean-label backdoor attacks on face forgery detectors. Our approach involves constructing a scalable trigger generator and utilizing a novel convolving process to generate translation-sensitive trigger patterns. Moreover, we employ a relative embedding method based on landmark-based regions to enhance the stealthiness of the poisoned samples. Consequently, detectors trained on our poisoned samples are embedded with backdoors. Notably, our approach surpasses SoTA backdoor baselines with a significant improvement in attack success rate (+16.39\% BD-AUC) and reduction in visibility (-12.65\% $L_\infty$). Furthermore, our attack exhibits promising performance against backdoor defenses. We anticipate that this paper will draw greater attention to the potential threats posed by backdoor attacks in face forgery detection scenarios. Our codes will be made available at \url{https://github.com/JWLiang007/PFF}

Zečić Antonia, Vazdar Bernarda, Slišković Livia et al.

The aim of this study was to investigate the extent of second-hand smoke exposure in younger population visiting nightclubs in Croatia by comparing the levels of nicotine and its main metabolites cotinine and trans-3′-hydroxycotinine (3HC) in urine samples taken from 22 participants before and after spending about three hours in a nightclub, stratified by smoking status (smokers and non-smokers). The samples were prepared by liquid-liquid extraction and analysed with gas chromatography-mass spectrometry. The presence of nicotine, cotinine, and 3HC was confirmed in all urine samples. Their median concentrations significantly differed between the two measurements in non-smokers. Our findings show that even a three-hour exposure to second-hand smoke can significantly increase the levels of nicotine and its metabolites in urine, which are indicative of exposure to other, harmful tobacco smoke substances. They also call for raising awareness of the health risks of exposure to second-hand smoke in the general population and among individuals who frequent nightclubs in particular.

Sadaf Saeedi, Ali Olfati, Tayebeh Sadeghi et al.

Background: Arsenic (AS) is widely distributed in our surroundings, causing various health problems like neurological disorders. The current research was designed to investigate the effect of the anti-oxidant and anti-inflammatory content of sake yeast on the recovery of brain damage in an AS-treated rat's model with behavioral, oxidative stress, and immunogenetics assessment.Method: Twenty-four male rats were treated with AS (3 mg/kg b.wt. per day) alone or in combination form with sake (45 mg/kg b.wt. per day), and animals received them for 30 days in drinking water (n=6/group). The initial mechanism of action was explored by behavioral tests (rotarod, amphetamine rotation, and spatial memory(, oxidative assay, and histopathology methods.Results: Considering the vehicle group, induction of brain abnormalities by AS significantly (P<0.05) decreased the number of substantia nigra neurons, total antioxidant capacity, glutathione peroxidase activity and increased the amount of α-synuclein protein and led to the massive accumulation of malondialdehyde. Meanwhile, sake supplementation can rescue the brain damage caused by this toxic metal, resulting in a reduction of malondialdehyde and α-synuclein protein levels, plus a considerable improvement in blood serum total antioxidant capacity consideration (P<0.05). Activity behavioral tests confirmed the AS-mentioned changes by increasing the number of rotations and rod test time. Histopathology assays mimic the above data.Conclusion: In sum, the sake yeast supplement due to its properties positively influences for improvement of dopaminergic neuron dysfunction via AS damage.

Honglin Lan, Xingguo Li, Yunhui Zhang et al.

Abstract The aim of this study was to evaluate the effects of different types of inulin on acute alcoholic intoxication (AAI) in mice and prepare its hangover beverage. Basic physical and chemical properties of different types of inulin (short‐chain inulin, long‐chain inulin, and phosphorylated long‐chain inulin) were analyzed and given by gavage at a dose of 400 mg kg−1 day−1 for a continuous period of 7 days through animal behavior experiments, and the inebriation percentage, mortality rate, duration of inebriation, and sobering time were recorded with the righting reflex as the judgment criterion. The results showed that, compared with the control group, the drunkenness and mortality rates of short‐chain inulin decreased by 12% and 100%, respectively, and the sober time decreased by 18%, while alcohol tolerance was also improved. The best formula for a short‐chain inulin hangover drink was determined to be: 0.4% granulated sugar, 0.5% citric acid, and 0.5% pectin. These suggest that short‐chain inulin may have potential in preventing AAI.

Lukas Struppek, Martin B. Hentschel, Clifton Poth et al.

Backdoor attacks pose a serious security threat for training neural networks as they surreptitiously introduce hidden functionalities into a model. Such backdoors remain silent during inference on clean inputs, evading detection due to inconspicuous behavior. However, once a specific trigger pattern appears in the input data, the backdoor activates, causing the model to execute its concealed function. Detecting such poisoned samples within vast datasets is virtually impossible through manual inspection. To address this challenge, we propose a novel approach that enables model training on potentially poisoned datasets by utilizing the power of recent diffusion models. Specifically, we create synthetic variations of all training samples, leveraging the inherent resilience of diffusion models to potential trigger patterns in the data. By combining this generative approach with knowledge distillation, we produce student models that maintain their general performance on the task while exhibiting robust resistance to backdoor triggers.

Indu Joshi, Priyank Upadhya, Gaurav Kumar Nayak et al.

Federated learning is a promising direction to tackle the privacy issues related to sharing patients' sensitive data. Often, federated systems in the medical image analysis domain assume that the participating local clients are \textit{honest}. Several studies report mechanisms through which a set of malicious clients can be introduced that can poison the federated setup, hampering the performance of the global model. To overcome this, robust aggregation methods have been proposed that defend against those attacks. We observe that most of the state-of-the-art robust aggregation methods are heavily dependent on the distance between the parameters or gradients of malicious clients and benign clients, which makes them prone to local model poisoning attacks when the parameters or gradients of malicious and benign clients are close. Leveraging this, we introduce DISBELIEVE, a local model poisoning attack that creates malicious parameters or gradients such that their distance to benign clients' parameters or gradients is low respectively but at the same time their adverse effect on the global model's performance is high. Experiments on three publicly available medical image datasets demonstrate the efficacy of the proposed DISBELIEVE attack as it significantly lowers the performance of the state-of-the-art \textit{robust aggregation} methods for medical image analysis. Furthermore, compared to state-of-the-art local model poisoning attacks, DISBELIEVE attack is also effective on natural images where we observe a severe drop in classification performance of the global model for multi-class classification on benchmark dataset CIFAR-10.

Yi-Mei Jin, Ai-Rong Huang, Mei-qian Yu et al.

Objective. The aim of this study was to investigate the effects of sodium hydrosulfide (NaHS) on Lipopolysaccharide (LPS)-induced cardiomyocyte injury in H9c2 cells. Methods. H9c2 cardiomyocytes cultivated with medium containing 10 μg/mL LPS were used to recapitulate the phenotypes of those in sepsis. Two sequential experiments were performed. The first contained a control group, a LPS group, and a LPS + NaHS group, with the aim to assure the protective effects of NaHS on LPS-treated cardiomyocytes. The second experiment added a fourth group, the LPS + NaHS + miR-133a-3p inhibition group, with the aim to preliminarily explore whether miR-133-3p exerts a protective function downstream of NaHS. The adenosine triphosphate (ATP) kit was used to detect ATP content; real-time quantitative polynucleotide chain reaction (qPCR) was used to measure the levels of mammalian targets of rapamycin (mTOR), AMP-dependent protein kinase (AMPK), and miR-133a-3p, and Western blot (WB) was used to detect protein levels of mTOR, AMPK, myosin-like Bcl2 interacting protein (Beclin-1), microtubule-associated protein 1 light chain 3 (LC3I/II), and P62 (sequestosome-1, sqstm-1/P62). Results. Compared with the control group, the expressions of miR-133a-3p (P < 0.001), P62 (P < 0.001), and the content of ATP (P < 0.001) decreased, while the expressions of Beclin-1 (P = 0.023) and LC3I/II (P = 0.048) increased in the LPS group. Compared with the LPS group, the expressions of miR-133a-3p (P < 0.001), P62 (P < 0.001), and the content of ATP (P < 0.001) in the NaHS + LPS group increased, while the expressions of Beclin-1 (P = 0.023) and LC3I/II (P = 0.022) decreased. Compared with the NaHS + LPS group, the expression levels of miR-133a-3p (P < 0.001), P62 (P = 0.001), and the content of ATP (P < 0.001) in the LPS + NaHS + miR-133a-3p inhibition group were downregulated, and the expression levels of Beclin-1 (P = 0.012) and LC3I/II (P = 0.010) were upregulated. The difference was statistically significant. There was no significant difference in the expression of AMPK and mTOR between groups. Conclusion. Our research demonstrated that NaHS relieved LPS-induced myocardial injury in H9c2 by promoting the expression of miR-133a-3p, inhibiting autophagy in cardiomyocytes, and restoring cellular ATP levels.

Xue‐Qin Hu, Bing‐Bing Xia, Wei‐Juan Ru et al.

Abstract Dextranase is an important industrial enzyme for the preparation of isomalto‐oligosaccharides. According to the crystal structures of 20 dextranases of four classes, we summarized the structural characteristics of enzymes and the binding modes of enzymes and ligands in this paper. Based on the characteristics of the products, we analyzed the characteristics of the binding domain and functions of dextranase by means of molecular simulation and molecular docking. The relationship between the product specificity of dextranase, its catalytic pocket shape, and its catalytic mode was briefly summarized. The catalytic mechanism of dextranase was systematically discussed, which provided the basis and reference for the rational transformation of dextranase.

Bengt Fadeel, Phil Sayre

Bengt Fadeel and Phil Sayre discuss lessons learned with respect to the safety assessment of nanomaterials, and provide a perspective on current and future challenges.

Florian Tramèr, Reza Shokri, Ayrton San Joaquin et al.

We introduce a new class of attacks on machine learning models. We show that an adversary who can poison a training dataset can cause models trained on this dataset to leak significant private details of training points belonging to other parties. Our active inference attacks connect two independent lines of work targeting the integrity and privacy of machine learning training data. Our attacks are effective across membership inference, attribute inference, and data extraction. For example, our targeted attacks can poison <0.1% of the training dataset to boost the performance of inference attacks by 1 to 2 orders of magnitude. Further, an adversary who controls a significant fraction of the training data (e.g., 50%) can launch untargeted attacks that enable 8x more precise inference on all other users' otherwise-private data points. Our results cast doubts on the relevance of cryptographic privacy guarantees in multiparty computation protocols for machine learning, if parties can arbitrarily select their share of training data.