defense 2026

CLASP: Defending Hybrid Large Language Models Against Hidden State Poisoning Attacks

Alexandre Le Mercier , Thomas Demeester , Chris Develder

Ghent University

0 citations
α

Published on arXiv

2603.12206

Prompt Injection

OWASP LLM Top 10 — LLM01

Key Finding

Achieves 99.3% document-level F1 for HiSPA detection while maintaining 91.6% F1 on structurally novel triggers under clustered cross-validation, at 1,032 tokens/second

CLASP

Novel technique introduced

State space models (SSMs) like Mamba have gained significant traction as efficient alternatives to Transformers, achieving linear complexity while maintaining competitive performance. However, Hidden State Poisoning Attacks (HiSPAs), a recently discovered vulnerability that corrupts SSM memory through adversarial strings, pose a critical threat to these architectures and their hybrid variants. Framing the HiSPA mitigation task as a binary classification problem at the token level, we introduce the CLASP model to defend against this threat. CLASP exploits distinct patterns in Mamba's block output embeddings (BOEs) and uses an XGBoost classifier to identify malicious tokens with minimal computational overhead. We consider a realistic scenario in which both SSMs and HiSPAs are likely to be used: an LLM screening résumés to identify the best candidates for a role. Evaluated on a corpus of 2,483 résumés totaling 9.5M tokens with controlled injections, CLASP achieves 95.9% token-level F1 score and 99.3% document-level F1 score on malicious tokens detection. Crucially, the model generalizes to unseen attack patterns: under leave-one-out cross-validation, performance remains high (96.9% document-level F1), while under clustered cross-validation with structurally novel triggers, it maintains useful detection capability (91.6% average document-level F1). Operating independently of any downstream model, CLASP processes 1,032 tokens per second with under 4GB VRAM consumption, potentially making it suitable for real-world deployment as a lightweight front-line defense for SSM-based and hybrid architectures. All code and detailed results are available at https://anonymous.4open.science/r/hispikes-91C0.

Key Contributions

  • CLASP: a lightweight token-level detector exploiting Mamba block output embedding (BOE) signatures with XGBoost, achieving 95.9% token-level F1 and 99.3% document-level F1 at 1,032 tokens/second under 4GB VRAM
  • Framing HiSPA detection as binary token classification, enabling model-agnostic front-line defense for any SSM-based or hybrid LLM pipeline
  • Demonstrated generalization to structurally novel unseen attack triggers via leave-one-out (96.9% F1) and clustered cross-validation (91.6% F1) on a 9.5M-token résumé corpus

🛡️ Threat Analysis

Details

Domains
nlp
Model Types
llm
Threat Tags
inference_timeblack_box
Datasets
Custom résumé corpus (2,483 résumés, 9.5M tokens with controlled HiSPA injections)
Applications
llm document processingrésumé screeningssm-based and hybrid llm architectures
Read PDF arXiv Code

Similar Papers

defense

A Call to Action for a Secure-by-Design Generative AI Paradigm

2025 0 cit.
100%
defense

AEGIS : Automated Co-Evolutionary Framework for Guarding Prompt Injections Schema

2025 0 cit.
100%
defense

Cross-Service Threat Intelligence in LLM Services using Privacy-Preserving Fingerprints

2025 0 cit.
100%
defense

Prompt Injection Mitigation with Agentic AI, Nested Learning, and AI Sustainability via Semantic Caching

2026 0 cit.
100%
defense

Indirect Prompt Injections: Are Firewalls All You Need, or Stronger Benchmarks?

2025 4 cit.
100%
defense

Towards Unsupervised Adversarial Document Detection in Retrieval Augmented Generation Systems

2026 0 cit.
100%
defense

A Self-Improving Architecture for Dynamic Safety in Large Language Models

2025 0 cit.
100%
defense

KG-DF: A Black-box Defense Framework against Jailbreak Attacks Based on Knowledge Graphs

2025 0 cit.
100%