What if a model could only learn what trusted LoRA adapters can express? [R]

What if a model could only learn what trusted LoRA adapters can express? [R]

Hello
I published a paper.
Most defenses against fine-tuning poisoning try to detect malicious data or reduce its impact.

I explored a different question:
What if the model simply could not learn certain malicious updates?

The idea is to constrain fine-tuning to a subspace learned from trusted LoRA adapters. Useful adaptation remains possible, but some malicious directions become geometrically unreachable.
A concrete example: a company fine-tunes a model on large datasets coming from users, external sources, or generated data. A small amount of poisoned data could introduce a hidden behavior triggered by a specific phrase or pattern.

Another example is a local or on-device assistant that keeps adapting to its user. Instead of allowing it to learn any possible behavior from new data, its adaptation could be restricted to variations of behaviors already represented by a trusted pool of adapters.
The goal here is not to detect every possible poison or backdoor, but to restrict the space of updates the model is allowed to learn.

I tested the approach on 196 public LoRA adapters, including adaptive attacks specifically designed to bypass the defense.

The results are strong: attack success drops sharply while useful adaptation is largely preserved on tasks covered by the adapter pool.

The paper, code, and experiments are public.

Paper:
https://arxiv.org/abs/2607.05300

Code:
https://github.com/infinition/z-manifold

I would be very interested to see people try to break it.

submitted by /u/Bright_Warning_8406
[comments]

Similar Posts

Leave a Reply

Your email address will not be published. Required fields are marked *