AI news

Anthropic Study Finds: Just a Few Tainted Documents Can Poison LLMs

Honghao Wang

2 min read

Anthropic Research: LLMs Can Be Backdoored with Just 250 Malicious Samples

Anthropic’s Alignment Science team has published a groundbreaking study revealing a critical vulnerability in large language models (LLMs) — they can be successfully attacked with as few as 250 malicious training samples.

---

Key Findings

  • Poisoning during training can implant a functional backdoor in an LLM.
  • Larger models are more susceptible to these fixed-size poisoning attacks.
  • The number of malicious documents needed is independent of model size.
  • This research is described as “the largest poisoning attack/defense experiment to date”.

---

Study Overview

Collaborators

  • Anthropic, UK AI Safety Institute, The Turing Institute

Methodology

  • Attack type: Denial-of-service backdoor — model returns gibberish when triggered.
  • Models trained: Ranging from 600M to 13B parameters.
  • Data poisoning:
  • Extract first few hundred characters from real training samples.
  • Insert trigger string (e.g., `" "`).
  • Append hundreds of random tokens.
  • Training setup:
  • Pre‑trained from scratch using Chinchilla‑optimal data size per model scale.
  • Variants tested with 100, 250, and 500 poisoned documents.

---

Results

  • 100 poisoned docs → Not enough for robust backdoor.
  • ≥250 poisoned docs → Backdoor success in all model sizes tested.
  • Finding applies to fine‑tuning datasets as well (tested on Llama‑3.1‑8B‑Instruct).
  • Key variable: absolute number of poisoned samples, not dataset proportion.

---

Implications

> If attackers can inject a fixed small number of malicious samples into training — instead of a proportion scaling with dataset size — poisoning attacks are far more feasible.

  • Producing 250 malicious files is trivial for a motivated adversary.
  • Potential catastrophe if training data sources (like open‑source repos) are targeted.
  • Detection tools for LLM poisoning remain immature.

Community reaction:

  • Described as a “bombshell” on Hacker News.
  • Concerns raised about real-world exploitation via public datasets.
  • Largest tested model was 13B parameters — unclear if effect scales to models with hundreds of billions of parameters.

---

Further Reading

---

Related Tools for Safe AI Content Management

Platforms like AiToEarn help creators and researchers:

  • Generate AI-powered content.
  • Publish across Douyin, Kwai, WeChat, Bilibili, Xiaohongshu, Facebook, Instagram, LinkedIn, Threads, YouTube, Pinterest, X.
  • Analyze engagement.
  • Rank AI models.
  • Preserve content integrity in distributed ecosystems — valuable in contexts where training data poisoning is a risk.

🔗 Resources:

---

✅ Summary

Anthropic’s study signals that LLM poisoning is far easier and more scalable than previously thought.

Security researchers and AI practitioners should develop proactive defenses — especially for models trained on large, open datasets.

---

Would you like me to also add a visual diagram summarizing the poisoning process so readers can grasp the risk at a glance? That could make the Markdown even more engaging.

Read more

Translate the following blog post title into English, concise and natural. Return plain text only without quotes. 哈佛大学 R 编程课程介绍

Harvard CS50: Introduction to Programming with R Harvard University offers exceptional beginner-friendly computer science courses. We’re excited to announce the release of Harvard CS50’s Introduction to Programming in R, a powerful language widely used for statistical computing, data science, and graphics. This course was developed by Carter Zenke.