Hidden State Poisoning Attacks against Mamba-based Language Models
This work addresses a critical vulnerability in efficient SSM-based language models, which could impact their deployment in security-sensitive applications.
The paper tackles the adversarial robustness of state space models (SSMs) like Mamba by introducing Hidden State Poisoning Attacks (HiSPA), which cause partial amnesia by overwriting hidden states, and shows that even a 52B hybrid SSM-Transformer model collapses under optimized HiSPA triggers on the RoBench25 benchmark, unlike pure Transformers.
State space models (SSMs) like Mamba offer efficient alternatives to Transformer-based language models, with linear time complexity. Yet, their adversarial robustness remains critically unexplored. This paper studies the phenomenon whereby specific short input phrases induce a partial amnesia effect in such models, by irreversibly overwriting information in their hidden states, referred to as a Hidden State Poisoning Attack (HiSPA). Our benchmark RoBench25 allows evaluating a model's information retrieval capabilities when subject to HiSPAs, and confirms the vulnerability of SSMs against such attacks. Even a recent 52B hybrid SSM-Transformer model from the Jamba family collapses on RoBench25 under optimized HiSPA triggers, whereas pure Transformers do not. We also observe that HiSPA triggers significantly weaken the Jamba model on the popular Open-Prompt-Injections benchmark, unlike pure Transformers. Finally, our interpretability study reveals patterns in Mamba's hidden layers during HiSPAs that could be used to build a HiSPA mitigation system. The full code and data to reproduce the experiments can be found at https://anonymous.4open.science/r/hispa_anonymous-5DB0.