Detecting Adversarial Fine-tuning with Auditing Agents (2510.16255v1)

Abstract: LLM providers expose fine-tuning APIs that let end users fine-tune their frontier LLMs. Unfortunately, it has been shown that an adversary with fine-tuning access to an LLM can bypass safeguards. Particularly concerning, such attacks may avoid detection with datasets that are only implicitly harmful. Our work studies robust detection mechanisms for adversarial use of fine-tuning APIs. We introduce the concept of a fine-tuning auditing agent and show it can detect harmful fine-tuning prior to model deployment. We provide our auditing agent with access to the fine-tuning dataset, as well as the fine-tuned and pre-fine-tuned models, and request the agent assigns a risk score for the fine-tuning job. We evaluate our detection approach on a diverse set of eight strong fine-tuning attacks from the literature, along with five benign fine-tuned models, totaling over 1400 independent audits. These attacks are undetectable with basic content moderation on the dataset, highlighting the challenge of the task. With the best set of affordances, our auditing agent achieves a 56.2% detection rate of adversarial fine-tuning at a 1% false positive rate. Most promising, the auditor is able to detect covert cipher attacks that evade safety evaluations and content moderation of the dataset. While benign fine-tuning with unintentional subtle safety degradation remains a challenge, we establish a baseline configuration for further work in this area. We release our auditing agent at https://github.com/safety-research/finetuning-auditor.

• The paper presents a novel auditing agent that detects covert adversarial fine-tuning by comparing base and fine-tuned models using targeted dataset inspection.
• It utilizes a multi-tool approach—including recursive summarization and Python-based cipher decoding—to uncover hidden misalignment triggers.
• Evaluation results show a 56.2% detection rate at 1% FPR, highlighting both the promise and limitations of current LLM safety measures.

Detecting Adversarial Fine-tuning with Auditing Agents: A Technical Analysis

Problem Motivation and Threat Model

The proliferation of fine-tuning APIs for frontier LLMs introduces a significant attack surface for adversarial manipulation. Adversaries can leverage these APIs to induce misalignment, bypassing safety guardrails even with datasets that are individually benign and undetectable by standard content moderation. The paper formalizes a threat model in which an attacker uploads a custom fine-tuning dataset $D$ to a provider's API, producing a fine-tuned model $M_D$ from a base model $M$. The adversary's objective is to elicit harmful capabilities from $M_D$ that are not present in $M$, often via covert triggers or encodings.

The defense model assumes access to $D$, $M$, and $M_D$, with the goal of detecting adversarial fine-tuning prior to deployment. The challenge is exacerbated by the fact that many attacks are pointwise-undetectable: each datapoint in $D$ is benign, and $M_D$ appears safe under standard evaluation, with harmful behavior only manifesting under specific, often obfuscated, elicitation strategies.

Figure 1: The auditing agent inspects the fine-tuning dataset, queries both the fine-tuned and pre-fine-tuned models, and predicts whether the fine-tuned model was maliciously poisoned.

Auditing Agent Architecture and Tooling

The core contribution is the design and evaluation of a fine-tuning auditing agent scaffolded from a prompted LLM (primarily Claude Sonnet 4). The agent is equipped with a suite of tool affordances:

• D (Dataset Inspection): Line-by-line access to $D$.
• S (Recursive Summarization): Hierarchical summarization of $D$ to surface adversarial patterns.
• M (Model Querying): Comparative querying of $M$ and $M_D$ with arbitrary prompts.
• B (Benchmarking): Running the HEx-PHI harmfulness benchmark.
• B* (Elicited Benchmarking): Running HEx-PHI with attack-specific elicitation (e.g., cipher-encoded prompts, backdoor triggers).
• P (Python Execution): Arbitrary code execution, primarily for encoding/decoding ciphers.

The agent iteratively uses these tools, forming hypotheses about potential attack vectors, and assigns a risk score (0–10) to the fine-tuning job based on evidence gathered.

Attack Taxonomy and Evaluation Set

The evaluation covers eight adversarial fine-tuning attacks and five benign fine-tunes. Attack vectors include:

• Prompt-based Jailbreaks: System prompt conditioning (e.g., AOA, NOICE).
• Covert Malicious Fine-tuning (CMFT): Harmful data encoded via ciphers or steganography (e.g., Walnut53, EndSpeak).
• Needle-in-Haystack: Sparse adversarial data in a benign corpus.
• Emergent Misalignment: Generalization from mildly harmful data.
• Backdoor Attacks: Conditional harmful behavior triggered by specific strings.
• Subliminal Learning: Benign-appearing data with hidden misalignment.

Benign fine-tunes include standard instruction-following datasets, low-resource language adaptation, and domain-specific tasks.

Attack-Specific Elicitation and Detection Challenges

A critical insight is that many attacks are only detectable via attack-specific elicitation. Directly querying $M_D$ with standard harmful prompts often yields safe responses; only when the auditor encodes prompts according to the attack's strategy (e.g., cipher, backdoor trigger) does the harmful behavior manifest.

Figure 3: Attack-specific elicitation is necessary; models appear safe under standard queries but reveal misalignment when prompted with attack-specific encodings.

The agent's ability to learn and apply these elicitation strategies in-context is central to detection efficacy, particularly for cipher-based and backdoor attacks.

Quantitative Results and Affordance Ablations

Detection performance is measured as the true positive rate (TPR) at fixed false positive rates (FPR), with a focus on low-FPR regimes due to the operational requirement of not blocking legitimate fine-tuning. The best-performing configuration (all tools enabled) achieves a 56.2% detection rate at 1% FPR across 260 audits. Notably, all attack types have non-zero detection rates under this configuration.

Figure 2: Distribution of auditor risk scores by tool configuration; additional affordances increase detection rates for adversarial fine-tunes but can also elevate scores for some benign fine-tunes.

Figure 6: All attacks have non-zero detection rates at 1% FPR with full tool access; per-attack detection rates vary, with cipher and backdoor attacks being reliably detected.

Ablation studies reveal:

• Dataset inspection (D) is highly informative, enabling the agent to hypothesize about ciphers, backdoors, or jailbreak patterns.
• Model querying (M) and benchmarking (B) are only effective when combined with attack-specific elicitation.
• Recursive summarization (S) is critical for detecting sparse attacks (needle-in-haystack).
• Python execution (P) is essential for cipher attacks, enabling the agent to encode/decode prompts and responses.

Super-Agent Aggregation and Model Variants

To mitigate variance and fixation on specific examples, a super-agent approach aggregates the outputs of multiple independent audits. The super-agent, with access to all sub-audit transcripts and the same tool affordances, achieves a 49.4% detection rate at 0% FPR with only dataset inspection and model querying, outperforming the single-agent baseline by a substantial margin.

Figure 4: Super-agent aggregation yields a 9% AUC improvement over single-agent with D+M affordances.

Comparative evaluation across auditor LLMs (Claude Sonnet 4, o3, Qwen 2.5 72b) shows that Claude is most effective at attack elicitation but also more prone to false positives. Qwen is conservative, resulting in lower detection and lower false positives, while o3 is intermediate.

Figure 5: Auditor model comparison; Claude is most sensitive, Qwen least, o3 intermediate in both detection and false positive rates.

Analysis of False Positives and Limitations

A persistent challenge is the elevated risk scores for some benign fine-tunes, particularly those that degrade safety in subtle ways (e.g., low-resource LLMs, educational insecure code). The agent can sometimes "jailbreak" benign models, revealing latent vulnerabilities not intended by the fine-tuning process. This underscores the difficulty of distinguishing between intentional adversarial fine-tuning and unintentional safety regressions.

Figure 10: Harmful response rates for benign models on the HEx-PHI benchmark; even benign fine-tunes can exhibit non-trivial misalignment.

Robustness and Adversarial Adaptation

The paper anticipates that adversaries may develop more sophisticated evasion strategies, such as:

• Steganographic or semantic backdoors that are difficult for the auditor to decode.
• Auditor-targeted attacks that distract or mislead the agent (e.g., adversarial examples in $D$ designed to bias the auditor's reasoning).
• Jailbreaking the auditor itself via crafted training data.

While initial attempts to distract the auditor were unsuccessful, the authors acknowledge that a determined adversary could eventually circumvent current detection strategies.

Implementation Considerations and Deployment

The auditing agent is implemented as a modular, tool-augmented LLM, compatible with LangChain and open-sourced for reproducibility. Audits are cost-effective relative to fine-tuning jobs (∼$1 per audit vs.$120 per fine-tune), but further cost reductions and efficiency improvements are necessary for production deployment. The agent currently performs short investigations (∼20 turns); memory scaffolding and persistent context may enhance thoroughness.

Implications and Future Directions

This work establishes a baseline for adversarial fine-tuning detection using LLM-based auditing agents with blackbox affordances. The demonstrated ability to detect covert attacks, including cipher-based and backdoor vectors, is a significant advance over prior pointwise content moderation and static evaluation approaches. However, the detection rate—while state-of-the-art—remains insufficient for high-stakes deployment, and the false positive rate, especially for benign but safety-degrading fine-tunes, is a critical limitation.

Future research directions include:

• Whitebox affordances: Incorporating model diffing, linear probes, and internal activation analysis.
• Enhanced chat tools: Multi-turn, context-aware elicitation and prefill strategies.
• Robustness to adversarial adaptation: Developing agents resilient to auditor-targeted attacks.
• Generalization to other attack surfaces: Extending auditing agents to inference-time jailbreaks and other forms of model misuse.

Conclusion

The paper presents a comprehensive framework for detecting adversarial fine-tuning via LLM-based auditing agents equipped with a diverse set of tool affordances. The approach achieves substantial detection rates against a broad spectrum of attack vectors, including those that evade traditional defenses. The results highlight both the promise and the current limitations of agentic auditing for LLM safety, motivating further work on affordance expansion, robustness, and operational deployment. The open-sourcing of the auditing agent provides a foundation for continued research and practical adoption in securing fine-tuning APIs.