Hasil untuk "Toxicology. Poisons"

Vijayanand Digge, Martina Vanelli, Ahmad W. Al-Dabbagh et al.

Data-driven control has emerged as a powerful paradigm for synthesizing controllers directly from data, bypassing explicit model identification. However, this reliance on data introduces new and largely unexplored vulnerabilities. In this paper, we show that an attacker can systematically poison the data used for control synthesis, causing any linear state-feedback controller synthesized by the planner to destabilize the physical system. Concerningly, we show that the attacker can achieve this objective without knowledge of the system model or the controller synthesis procedure. To this end, we develop a recursive data-poisoning mechanism that generates falsified state trajectories, inducing a precise geometric shift in the apparent system dynamics. More broadly, our results establish that data-driven control pipelines can be deterministically destabilized by model-agnostic attacks operating solely at the data level. Numerical simulations corroborate these findings for both noise-free and noisy data.

Xiangyu Yin, Yi Qi, Chih-Hong Cheng

Retrieval-Augmented Generation (RAG) improves the reliability of large language model applications by grounding generation in retrieved evidence, but it also introduces a new attack surface: corpus poisoning. In this setting, an adversary injects or edits passages so that they are ranked into the Top-$K$ results for target queries and then affect downstream generation. Existing defences against corpus poisoning often rely on content filtering, auxiliary models, or generator-side reasoning, which can make deployment more difficult. We propose ProGRank, a post hoc, training-free retriever-side defence for dense-retriever RAG. ProGRank stress-tests each query--passage pair under mild randomized perturbations and extracts probe gradients from a small fixed parameter subset of the retriever. From these signals, it derives two instability signals, representational consistency and dispersion risk, and combines them with a score gate in a reranking step. ProGRank preserves the original passage content, requires no retraining, and also supports a surrogate-based variant when the deployed retriever is unavailable. Extensive experiments across three datasets, three dense retriever backbones, representative corpus poisoning attacks, and both retrieval-stage and end-to-end settings show that ProGRank provides stronger defence performance and a favorable robustness--utility trade-off. It also remains competitive under adaptive evasive attacks.

Kennedy Edemacu, Mohammad Mahdi Shokri

Retrieval-augmented generation (RAG) has emerged as a powerful paradigm for enhancing multimodal large language models by grounding their responses in external, factual knowledge and thus mitigating hallucinations. However, the integration of externally sourced knowledge bases introduces a critical attack surface. Adversaries can inject malicious multimodal content capable of influencing both retrieval and downstream generation. In this work, we present MM-MEPA, a multimodal poisoning attack that targets the metadata components of image-text entries while leaving the associated visual content unaltered. By only manipulating the metadata, MM-MEPA can still steer multimodal retrieval and induce attacker-desired model responses. We evaluate the attack across multiple benchmark settings and demonstrate its severity. MM-MEPA achieves an attack success rate of up to 91\% consistently disrupting system behaviors across four retrievers and two multimodal generators. Additionally, we assess representative defense strategies and find them largely ineffective against this form of metadata-only poisoning. Our findings expose a critical vulnerability in multimodal RAG and underscore the urgent need for more robust, defense-aware retrieval and knowledge integration methods.

Francesca Margheri, Cecilia Anceschi, Elena Frediani et al.

Angiogenesis, the formation of new blood vessels from pre-existing vasculature, is essential for physiological processes such as development and wound healing, but its dysregulation contributes to a range of pathological conditions including cancer, diabetic retinopathy, and chronic inflammation. In recent years, marine-derived compounds have emerged as promising multitarget agents with anti-angiogenic potential. <i>Posidonia oceanica</i>, a Mediterranean seagrass traditionally used in folk medicine, is increasingly recognized for its pharmacological properties, including antioxidant, anti-inflammatory, and anti-invasive activities. This study investigated the effects of a hydroethanolic extract from <i>P. oceanica</i> leaves (POE) on human Endothelial Colony-Forming Cells (ECFCs), a subpopulation of endothelial progenitor cells with high proliferative and vessel-forming capacity, and a relevant model for studying pathological angiogenesis. ECFCs were treated with POE (4–8 µg/mL), and cell viability, morphology, migration, invasion, tube formation, oxidative stress, and activation markers were evaluated. POE did not alter ECFC morphology or viability, as confirmed by Trypan Blue and MTT assays. However, functional assays revealed that POE significantly impaired ECFC migration, invasion, and in vitro angiogenesis in a dose-dependent manner. Under VEGF (Vascular endothelial growth factor) stimulation, POE reduced intracellular ROS accumulation and downregulated key redox-regulating genes (<i>hTRX1</i>, <i>hTRX2</i>, <i>PRDX2</i>, <i>AKR1C1</i>, <i>AKR1B10</i>). Western blot analysis showed that POE inhibited VEGF-induced phosphorylation of KDR, mTOR and p-ERK, while p-AKT remained elevated, indicating selective disruption of VEGF downstream signaling. Furthermore, POE reduced the expression of pro-inflammatory and pro-coagulant markers (<i>VCAM-1</i>, <i>ICAM-1</i>, <i>TF</i>) and partially reversed TNF-α–induced endothelial activation. These findings suggest that POE exerts anti-angiogenic effects through a multitargeted mechanism, supporting its potential as a natural therapeutic agent for diseases characterized by aberrant angiogenesis.

Bolanle Akinyemi, Emmanuel Obeng-Gyasi

Environmental exposures to heavy metals, polychlorinated biphenyls (PCBs), dioxins, and furans have been associated with adverse cardiovascular outcomes, yet their combined effects remain underexplored. This study examined the joint influence of these contaminants on cardiovascular risk indicators in a representative sample of U.S. adults from the 2003–2004 National Health and Nutrition Examination Survey (NHANES). Biomarkers of exposure included lead, cadmium, mercury, twelve PCB congeners, seven dioxins, and ten furans. Cardiovascular outcomes were assessed using blood pressure, Framingham Risk Score (FRS), and lipid profiles. Associations were analyzed using multivariable linear regression and Bayesian Kernel Machine Regression (BKMR), adjusting for age, sex, ethnicity, body mass index, smoking, alcohol consumption, and income. The results demonstrated that metals, particularly mercury, were strongly associated with increased blood pressure and altered HDL cholesterol. PCBs were predominantly linked to elevated systolic blood pressure and FRS, with PCB156 and PCB126 identified as principal contributors. Furans exhibited the strongest associations with dyslipidemia, including elevated LDL cholesterol, total cholesterol, and triglycerides. Combined exposure analysis revealed a complex pattern, with increasing pollutant burdens associated with rising blood pressure and risk scores but declining lipid levels. These findings underscore the outcome-specific effects of pollutant mixtures and suggest that chronic low-level exposure to multiple environmental contaminants may contribute to cardiovascular dysfunction in the general population. Further longitudinal research is needed to confirm these associations and guide risk reduction strategies.

Dearbhla Finnegan, Helena Mylise Copeland, Brian Freeland et al.

ABSTRACT Some lactic acid bacteria (LAB) can synthesize exopolysaccharides (EPS) during fermentation that enhance the functional value of food products and may confer health benefits including immunomodulation. We aimed to examine the potential anti‐inflammatory effects of EPS from three Lactobacillus species in the context of chronic inflammatory diseases, including Crohn's disease (CD) and ulcerative colitis (UC). Lactobacillus delbrueckii subsp. bulgaricus 327 (LB327), Lentilactobacillus kefiri 13 (LKF13), and Lacticaseibacillus rhamnosus 28 (LRH28) were cultivated in MRS media, yielding 225–260 mg/L EPS. Biomass and EPS yields were harvested and quantified. The chemical structure of the purified EPS was subsequently characterized using Fourier‐transform infrared (FTIR) spectroscopy to identify functional group. EPS samples were tested for immunomodulatory potential using J774A.1 murine macrophages and JAWS II dendritic cells under lipopolysaccharide (LPS) stimulation. Cell viability remained unaffected. EPS reduced pro‐inflammatory cytokines IL‐1β, TNF‐α, increased anti‐inflammatory IL‐10, dual‐role IL‐6, and exerted minimal effect on chemokine secretion in LPS‐induced inflammatory models. Overall, LB327, LFK13, and LRH28 demonstrated anti‐inflammatory effects, modulating cytokine profiles while preserving chemokine signaling. These findings highlight the potential of LAB‐derived EPS as functional food ingredients capable of immune regulation, suggesting a dietary supportive role alongside conventional therapies in chronic inflammatory diseases including UC and CD.

Paul Kurtenbach, Sam Thilmany, Maria Hahn et al.

Brain exposure to toxic agents is a key condition for neurotoxicity hazards in the human central nervous system (CNS). Therefore, reliable prediction of brain penetration is needed to confirm the toxicological safety of compounds to be developed. However, current regulatory risk assessments of neurotoxicity are mainly performed in rodents, which entail several critical issues associated with animal studies. Consequently, authorities worldwide have highlighted the importance of harmonized, human-relevant new approach methodologies (NAMs) such as human induced pluripotent stem cell (hiPSC)-derived models to estimate substrate permeabilities concerning the blood-brain barrier (BBB). This study aimed to redesign a commercially available human BBB model and permeability testing method for future regulatory neurotoxicity studies, considering the in vivo architecture and functionality as well as potential for standardization and higher throughput. Model validation should be achieved by correlation of in vitro permeability to human clinical positron emission tomography (PET) data to enable reliable prediction of in vivo brain penetration. Accordingly, cryopreserved hiPSC-derived BBB models were set up within five days in 96-transwells®, quality-controlled for in vivo barrier properties and exposed to seven pharmaceuticals analogously to clinical PET studies (exposure concentrations: 5 µM to 10 µM for 60 min). The results indicated that the redesigned in vitro permeability assessment model allows to emulate human in vivo brain penetration (Spearman rank correlation coefficient: 0.964). This suggests that utilizing novel commercially available, cryopreserved hiPSC-derived BBB cells could be an important starting point for a standardizable NAMs application to be implemented in regulatory neurotoxicity hazard assessment.

Pavel Rossner, Eliska Javorkova, Michal Sima et al.

An investigation into the biological mechanisms initiated in wounded skin following the application of mesenchymal stem cells (MSCs) and nanoparticles (NPs) (Ag, ZnO), either alone or combined, was performed in mice, with the aim of determining the optimal approach to accelerate the healing process. This combined treatment was hypothesized to be beneficial, as it is associated with the production of molecules supporting the healing process and antimicrobial activity. The samples were collected seven days after injury. When compared with untreated wounded animals (controls), the combined (MSCs+NPs) treatment induced the expression of <i>Sprr2b</i>, encoding small proline-rich protein 2B, which is involved in keratinocyte differentiation, the response to tissue injury, and inflammation. Pathways associated with keratinocyte differentiation were also affected. Ag NP treatment (alone or combined) modulated DNA methylation changes in genes involved in desmosome organization. The percentage of activated regulatory macrophages at the wound site was increased by MSC-alone and Ag-alone treatments, while the production of nitric oxide, an inflammatory marker, by stimulated macrophages was decreased by both MSC/Ag-alone and MSCs+Ag treatments. Ag induced the expression of <i>Col1</i>, encoding collagen-1, at the injury site. The results of the MSC and NP treatment of skin wounds (alone or combined) suggest an induction of processes accelerating the proliferative phase of healing. Thus, MSC-NP interactions are a key factor affecting global mRNA expression changes in the wound.

Jiawei Kong, Hao Fang, Xiaochen Yang et al.

Recent studies have widely investigated backdoor attacks on Large Language Models (LLMs) by inserting harmful question-answer (QA) pairs into their training data. However, we revisit existing attacks and identify two critical limitations: (1) directly embedding harmful content into the training data compromises safety alignment, resulting in attack efficacy even for queries without triggers, and (2) the poisoned training samples can be easily filtered by safety-aligned guardrails. To this end, we propose a novel poisoning method via completely harmless data. Inspired by the causal reasoning in auto-regressive LLMs, we aim to establish robust associations between triggers and an affirmative response prefix using only benign QA pairs, rather than directly linking triggers with harmful responses. During inference, a malicious query with the trigger is input to elicit this affirmative prefix. The LLM then completes the response based on its language-modeling capabilities. Achieving this using only clean samples is non-trivial. We observe an interesting resistance phenomenon where the LLM initially appears to agree but subsequently refuses to answer. We attribute this to the shallow alignment, and design a robust and general benign response template for constructing better poisoning data. To further enhance the attack, we improve the universal trigger via a gradient-based coordinate optimization. Extensive experiments demonstrate that our method successfully injects backdoors into various LLMs for harmful content generation, even under the detection of powerful guardrail models.

Wassim Bouaziz, Mathurin Videau, Nicolas Usunier et al.

The pre-training of large language models (LLMs) relies on massive text datasets sourced from diverse and difficult-to-curate origins. Although membership inference attacks and hidden canaries have been explored to trace data usage, such methods rely on memorization of training data, which LM providers try to limit. In this work, we demonstrate that indirect data poisoning (where the targeted behavior is absent from training data) is not only feasible but also allow to effectively protect a dataset and trace its use. Using gradient-based optimization prompt-tuning, we make a model learn arbitrary secret sequences: secret responses to secret prompts that are absent from the training corpus. We validate our approach on language models pre-trained from scratch and show that less than 0.005% of poisoned tokens are sufficient to covertly make a LM learn a secret and detect it with extremely high confidence ($p < 10^{-55}$) with a theoretically certifiable scheme. Crucially, this occurs without performance degradation (on LM benchmarks) and despite secrets never appearing in the training set.

Phung Lai, Guanxiong Liu, NhatHai Phan et al.

Federated learning (FL) enables collaborative model training using decentralized private data from multiple clients. While FL has shown robustness against poisoning attacks with basic defenses, our research reveals new vulnerabilities stemming from non-independent and identically distributed (non-IID) data among clients. These vulnerabilities pose a substantial risk of model poisoning in real-world FL scenarios. To demonstrate such vulnerabilities, we develop a novel collaborative backdoor poisoning attack called CollaPois. In this attack, we distribute a single pre-trained model infected with a Trojan to a group of compromised clients. These clients then work together to produce malicious gradients, causing the FL model to consistently converge towards a low-loss region centered around the Trojan-infected model. Consequently, the impact of the Trojan is amplified, especially when the benign clients have diverse local data distributions and scattered local gradients. CollaPois stands out by achieving its goals while involving only a limited number of compromised clients, setting it apart from existing attacks. Also, CollaPois effectively avoids noticeable shifts or degradation in the FL model's performance on legitimate data samples, allowing it to operate stealthily and evade detection by advanced robust FL algorithms. Thorough theoretical analysis and experiments conducted on various benchmark datasets demonstrate the superiority of CollaPois compared to state-of-the-art backdoor attacks. Notably, CollaPois bypasses existing backdoor defenses, especially in scenarios where clients possess diverse data distributions. Moreover, the results show that CollaPois remains effective even when involving a small number of compromised clients. Notably, clients whose local data is closely aligned with compromised clients experience higher risks of backdoor infections.

Shota Iwamatsu, Koichi Ito, Takafumi Aoki

Face recognition systems are robust against environmental changes and noise, and thus may be vulnerable to illegal authentication attempts using user face photos, such as spoofing attacks. To prevent such spoofing attacks, it is crucial to discriminate whether the input image is a live user image or a spoofed image prior to the face recognition process. Most existing spoofing attack detection methods utilize deep learning, which necessitates a substantial amount of training data. Consequently, if malicious data is injected into a portion of the training dataset, a specific spoofing attack may be erroneously classified as live, leading to false positives. In this paper, we propose a novel backdoor poisoning attack method to demonstrate the latent threat of backdoor poisoning within face anti-spoofing detection. The proposed method enables certain spoofing attacks to bypass detection by embedding features extracted from the spoofing attack's face image into a live face image without inducing any perceptible visual alterations. Through experiments conducted on public datasets, we demonstrate that the proposed method constitutes a realistic threat to existing spoofing attack detection systems.

Mingchen Li, Di Zhuang, Keyu Chen et al.

Link prediction in graph data uses various algorithms and Graph Nerual Network (GNN) models to predict potential relationships between graph nodes. These techniques have found widespread use in numerous real-world applications, including recommendation systems, community/social networks, and biological structures. However, recent research has highlighted the vulnerability of GNN models to adversarial attacks, such as poisoning and evasion attacks. Addressing the vulnerability of GNN models is crucial to ensure stable and robust performance in GNN applications. Although many works have focused on enhancing the robustness of node classification on GNN models, the robustness of link prediction has received less attention. To bridge this gap, this article introduces an unweighted graph poisoning attack that leverages meta-learning with weighted scheme strategies to degrade the link prediction performance of GNNs. We conducted comprehensive experiments on diverse datasets across multiple link prediction applications to evaluate the proposed method and its parameters, comparing it with existing approaches under similar conditions. Our results demonstrate that our approach significantly reduces link prediction performance and consistently outperforms other state-of-the-art baselines.

Xianan ZHANG, Shenshen WU, Qingtao MENG et al.

The health effects associated with environmental pollutants remain one of the major public health issues at present. The research method focusing on the population as the research subjects is limited by reliable cohorts, and the research method targeting individual molecules cannot fully reflect the biological health effects under environmental pollutant stress. Using high-throughput multi-omics, machine learning, and epigenetic detection to conduct targeted research and joint analysis on cells, organoids, organs, animals, and humans in different biological dimensions will help provide data support for the study of potential targets and biological effects of environmental pollutants, providing a theoretical basis for the risk assessment and safety evaluation of environmental pollutants.

Debanjali Chakraborty, Ahamadul Hoque Mandal, Surajit Ghosh et al.

The current study investigates the severe effects of commonly employed chemicals, such as phenol, on the freshwater bottom-dwelling annelids of Tubifex tubifex. In an acute toxicity test, phenol's 96-hour LC50 value against Tubifex tubifex was identified to be 221.552 mg/L. Using the GUTS simulation, which places the GUTS-SD model on top of the GUTS-IT model, it was possible to confirm that the test organism would survive an acute exposure to phenol overall. After 14 days of treatment with 10 % and 20 % of the phenol's 96-hour LC50 values, long-term bioassays revealed changes in protein levels and in oxidative stress enzyme levels. Total protein concentration dropped during the bioassay, but levels of antioxidant enzymes (CAT, GST, SOD, and MDA) increased. The Pearson correlation matrix and the Integrated Biomarker Response (IBR) index were used for examining the relationship between biomarkers, toxicants, and phenol-induced stress. The results show that exposure to phenol is detrimental to the survival and general health of Tubifex tubifex.

Aarón Gómez, Andrés Sánchez, Gina Durán et al.

Snakebite envenomation is a neglected tropical disease posing a high toll of mortality and morbidity in sub-Saharan Africa. Polyspecific antivenoms of broad effectiveness and specially designed for this region require a detailed understanding of the immunological features of the mamba snake (Dendroaspis spp.) venoms for the selection of the most appropriate antigen combination to produce antivenoms of wide neutralizing scope. Monospecific antisera were generated in rabbits against the venoms of the four species of mambas. The toxic effects of the immunization scheme in the animals were evaluated, antibody titers were estimated using immunochemical assays, and neutralization of lethal activity was assessed. By the end of the immunization schedule, rabbits showed normal values of the majority of hematological parameters tested. No muscle tissue damage was noticed, and no alterations in most serum chemical parameters were observed. Immunological analyses revealed a variable extent of cross-reactivity of the monospecific antisera against the heterologous venoms. The venoms of D. jamesoni and D. viridis generated the antisera with broader cross-reactivity by immunochemical parameters. The venoms of D. polylepis and D. viridis generated the antisera with better cross-neutralization of lethality, although the neutralizing ability of all antisera was lower than 0.16 mg venom/mL antiserum against either homologous or heterologous venoms. These experimental results must be scaled to large animal models used in antivenom manufacture at industrial level to assess whether these predictions are reproducible.

Hannah Flach, Carla Brendler, Martina Schöpf et al.

Neonicotinoids (NEOs) are widely used insecticides that are ubiquitous in agricultural use. Since NEOs are found in natural waters as well as in tap water and human urine in regions where NEOs are widely used, NEOs pose a potential hazard to non-target organisms such as animals and humans. Some of the commonly detected NEOs are imidacloprid (IMD), thiamethoxam (TMX), and its metabolite clothianidin (CLO). Although previously published scientific information, including an assessment of the environmental risks, particularly for bees, had resulted in a ban on the outdoor use of these three NEOs in the EU – their use is now only permitted in closed greenhouses – these NEOs continue to be used in agriculture in many other parts of the world. Therefore, a detailed study and comparison of the effects of NEOs on the embryonic development of non-target organisms is needed to further define the risk profiles.Embryos of the South African clawed frog Xenopus laevis, a well-established aquatic model, were exposed to different concentrations of IMD, TMX, or CLO (0.1–100 mg/L) to study and compare the possible effects of a single contaminant in natural water bodies on early embryogenesis. The results included a reduced body length, a smaller orbital space, impaired cranial cartilage and nerves, and an altered heart structure and function. At the molecular level, NEO exposure partially resulted in an altered expression of tissue-specific factors, which are involved in eye, cranial placode, and heart development.Our results suggest that the NEOs studied negatively affect the embryonic development of the non-target organism X. laevis. Since pesticides, especially NEOs, pollute the environment worldwide, it is suggested that they are strictly controlled and monitored in the areas where they are used. In addition, the question arises as to whether pesticide metabolites also pose a risk to the environment and need to be investigated further so that they can be taken into account when registering ingredients.

Jonatan Bartolini, Todor Stoyanov, Alberto Giaretta

Thanks to the popularisation of transformer-based models, speech recognition (SR) is gaining traction in various application fields, such as industrial and robotics environments populated with mission-critical devices. While transformer-based SR can provide various benefits for simplifying human-machine interfacing, the research on the cybersecurity aspects of these models is lacklustre. In particular, concerning backdoor poisoning attacks. In this paper, we propose a new poisoning approach that maps different environmental trigger sounds to target phrases of different lengths, during the fine-tuning phase. We test our approach on Whisper, one of the most popular transformer-based SR model, showing that it is highly vulnerable to our attack, under several testing conditions. To mitigate the attack proposed in this paper, we investigate the use of Silero VAD, a state-of-the-art voice activity detection (VAD) model, as a defence mechanism. Our experiments show that it is possible to use VAD models to filter out malicious triggers and mitigate our attacks, with a varying degree of success, depending on the type of trigger sound and testing conditions.

Jie Peng, Weiyu Li, Stefan Vlaski et al.

Robustness to malicious attacks is of paramount importance for distributed learning. Existing works usually consider the classical Byzantine attacks model, which assumes that some workers can send arbitrarily malicious messages to the server and disturb the aggregation steps of the distributed learning process. To defend against such worst-case Byzantine attacks, various robust aggregators have been proposed. They are proven to be effective and much superior to the often-used mean aggregator. In this paper, however, we demonstrate that the robust aggregators are too conservative for a class of weak but practical malicious attacks, as known as label poisoning attacks, where the sample labels of some workers are poisoned. Surprisingly, we are able to show that the mean aggregator is more robust than the state-of-the-art robust aggregators in theory, given that the distributed data are sufficiently heterogeneous. In fact, the learning error of the mean aggregator is proven to be order-optimal in this case. Experimental results corroborate our theoretical findings, showing the superiority of the mean aggregator under label poisoning attacks.

Kaike Zhang, Qi Cao, Yunfan Wu et al.

Sequential recommender systems stand out for their ability to capture users' dynamic interests and the patterns of item-to-item transitions. However, the inherent openness of sequential recommender systems renders them vulnerable to poisoning attacks, where fraudulent users are injected into the training data to manipulate learned patterns. Traditional defense strategies predominantly depend on predefined assumptions or rules extracted from specific known attacks, limiting their generalizability to unknown attack types. To solve the above problems, considering the rich open-world knowledge encapsulated in Large Language Models (LLMs), our research initially focuses on the capabilities of LLMs in the detection of unknown fraudulent activities within recommender systems, a strategy we denote as LLM4Dec. Empirical evaluations demonstrate the substantial capability of LLMs in identifying unknown fraudsters, leveraging their expansive, open-world knowledge. Building upon this, we propose the integration of LLMs into defense strategies to extend their effectiveness beyond the confines of known attacks. We propose LoRec, an advanced framework that employs LLM-Enhanced Calibration to strengthen the robustness of sequential recommender systems against poisoning attacks. LoRec integrates an LLM-enhanced CalibraTor (LCT) that refines the training process of sequential recommender systems with knowledge derived from LLMs, applying a user-wise reweighting to diminish the impact of fraudsters injected by attacks. By incorporating LLMs' open-world knowledge, the LCT effectively converts the limited, specific priors or rules into a more general pattern of fraudsters, offering improved defenses against poisoning attacks. Our comprehensive experiments validate that LoRec, as a general framework, significantly strengthens the robustness of sequential recommender systems.