SpectralGuard: Detecting Memory Collapse Attacks in State Space Models
This addresses a critical safety problem for users of recurrent foundation models by providing a deployable defense against stealthy attacks that degrade reasoning capacity.
The paper tackles the vulnerability of State Space Models (SSMs) like Mamba to memory collapse attacks via gradient-based Hidden State Poisoning, which reduces memory from millions to dozens of tokens, and introduces SpectralGuard, a real-time monitor that achieves F1 scores of 0.961 against non-adaptive attackers and 0.842 under adaptive settings with sub-15ms latency.
State Space Models (SSMs) such as Mamba achieve linear-time sequence processing through input-dependent recurrence, but this mechanism introduces a critical safety vulnerability. We show that the spectral radius rho(A-bar) of the discretized transition operator governs effective memory horizon: when an adversary drives rho toward zero through gradient-based Hidden State Poisoning, memory collapses from millions of tokens to mere dozens, silently destroying reasoning capacity without triggering output-level alarms. We prove an Evasion Existence Theorem showing that for any output-only defense, adversarial inputs exist that simultaneously induce spectral collapse and evade detection, then introduce SpectralGuard, a real-time monitor that tracks spectral stability across all model layers. SpectralGuard achieves F1=0.961 against non-adaptive attackers and retains F1=0.842 under the strongest adaptive setting, with sub-15ms per-token latency. Causal interventions and cross-architecture transfer to hybrid SSM-Attention systems confirm that spectral monitoring provides a principled, deployable safety layer for recurrent foundation models.