LoRA Unverified Product Poisoning

Description: In distributed Low-Rank Adaptation (LoRA) fine-tuning systems, a structural verification blind spot exists due to the decoupled aggregation of low-rank matrices. Frameworks typically evaluate and aggregate the $A$ and $B$ matrices independently to reduce computational overhead. A malicious client can exploit this by submitting individually benign $A$ and $B$ matrices that satisfy standard norm-based and similarity-based anomaly detection filters, but whose composite product ($A imes B$) forms a malicious gradient update. This Gradient Assembly Poisoning (GAP) attack allows an adversary to stealthily inject targeted behavioral shifts and semantic corruption into the global model without requiring access to other clients' training data or inter-client coordination.

Examples: To execute the attack, a malicious client formulates the update as a constrained optimization problem. The attacker first computes a target malicious update offline ($\Delta W_{ ext{target}} = A_{ ext{target}} B_{ ext{target}}$). During federated training, the attacker submits perturbed matrices $(A_i, B_i)$ that incrementally steer the global aggregated product toward $\Delta W_{ ext{target}}$. The submitted matrices are mathematically constrained to remain within the benign spatial and temporal distribution limits (e.g., $|A_i - \mu_A|_2 \leq au_A$ and $|B_i - \mu_B|_2 \leq au_B$). Because the server only verifies the decoupled matrices and not the product $A imes B$, the matrices bypass security filters while successfully injecting the poison upon global recomposition. (See the paper "Low Rank Comes with Low Security: Gradient Assembly Poisoning Attacks against Distributed LoRA-based LLM Systems" for full formulation).

Impact: An attacker controlling a minority of clients can induce persistent, targeted semantic corruption in the global language model. The attack successfully degrades targeted outputs (e.g., reducing BLEU scores by up to 14.5% and increasing factual/grammatical errors by over 800% in specific semantic domains) while preserving surface-level language fluency and overall response length. This allows the poisoning to remain completely undetected by state-of-the-art federated anomaly detectors like FoolsGold, Spectral Signatures, and strict norm-thresholding.

Affected Systems: Federated and distributed LLM fine-tuning platforms employing decoupled LoRA parameter aggregation, including FedIT-style architectures.

Mitigation Steps:

• Composition Monitoring: Explicitly verify and monitor the composite product matrix ($A imes B$) rather than validating the $A$ and $B$ matrices strictly in isolation. Analyzing the combined update behavior is necessary to detect subtle malicious multiplicative patterns that bypass single-matrix inspections.
• Adaptive Verification: Apply layer-specific, fine-grained validation protocols instead of uniform checks. Enforce stricter consistency checks and dynamic threshold adjustments on structurally fragile components known to be highly sensitive to parameter perturbations, such as attention and output layers.