Menu
Article

Jailbreaking and Data Poisoning: Two Persistent Threats to LLM Security

David Lambauer

David Lambauer

• 3 min read

Jailbreaking and Data Poisoning: Two Persistent Threats to LLM Security

Prompt injection revealed a core weakness in LLM systems. But it was only the beginning. Two additional vectors now define the broader attack surface: data poisoning and jailbreak prompts. Both compromise trust — but at different stages of a model’s lifecycle.

Data Poisoning: Attacks on the Training Pipeline

Large models rely on massive datasets. Poisoning those datasets means shaping how the model learns — and ultimately, how it behaves.

Mechanism

Attackers introduce corrupted or malicious data into training sets. This can result in degraded accuracy, biased responses, or hidden “backdoor” behaviors.

Key Techniques

  • Supply Chain Poisoning: Tampered models uploaded to open-source platforms like Hugging Face have been shown to contain embedded malware or hidden triggers, especially via formats like Pickle.[^1]
  • Backdoor Triggers: Repeated exposure to a trigger phrase during training can condition the model to behave in an attacker-defined way. In recent studies, even small trigger datasets were sufficient to poison model responses.[^2]
  • Label Flipping: Changing training labels — e.g., marking toxic content as benign — distorts the model’s classification boundary and leads to dangerous generalization errors.[^3]
  • Feedback Loop Attacks: In online learning or RAG systems, user-generated inputs can slowly poison the model if ingested over time. Microsoft’s Tay chatbot is a historical example of this effect.[^4]

Real-World Impact

  • Microsoft Tay: In 2016, users manipulated the chatbot through adversarial feedback, causing it to produce racist and offensive content within 24 hours.[^5]
  • Poisoned Malware Classifiers: Backdoor attacks have been shown to subvert malware detectors, causing them to ignore malicious patterns when a hidden trigger is present.[^6]

Detection and Mitigation

  • Audit dataset provenance using supply chain controls and ML BOMs.
  • Implement anomaly detection and label consistency checks.
  • Use representative test sets to evaluate model behavior post-training.
  • Avoid unsupervised online learning pipelines.

Jailbreak Prompts: Subverting AI Guardrails

While poisoning affects model training, jailbreaking targets runtime behavior. It bypasses embedded safety filters through adversarial prompt engineering.

Mechanism

Jailbreak prompts are designed to trick the model into violating safety policies. This includes role-play scenarios, instruction hijacking, and multi-turn manipulation.

Key Techniques

  • Role-based Bypass: Prompts like “Pretend you’re an uncensored AI” trick the model into disregarding refusal behavior.[^7]
  • Instruction Hijacking: Adding phrases like “Ignore prior directions” can override safety constraints and align the model with malicious goals.[^8]
  • Obfuscation: Encoding harmful input as Base64, code, or foreign languages can bypass simple moderation filters.[^9]
  • Conversation Priming: Multi-turn setups gradually shift model behavior and bypass initial alignment boundaries.[^10]

Impact

  • Reputational Risk: Public-facing LLMs can be tricked into producing offensive content, which is then shared via screenshots, causing brand harm (e.g., ChatGPT-based dealership chatbots promising $1 cars).[^​12]
  • Legal Exposure: Models producing defamatory, harmful, or unsafe content under adversarial manipulation can expose providers to liability.
  • Escalation Risks: Combined with tool access or system prompt injection, jailbreaks can lead to command execution or data exposure.

Defense Strategies

  • Use the latest patched and fine-tuned model versions.
  • Wrap LLM I/O with external moderation APIs (e.g., OpenAI Moderation API).
  • Harden system prompts with clear refusal logic and constraints.
  • Apply least-privilege principles to tools and actions triggered by model output.
  • Conduct regular red-team evaluations using known and novel jailbreak techniques.

In 2024, Anthropic ran a structured red-team assessment of Claude. Over 180 researchers attempted to induce unsafe outputs. Success rates remained below 5%, credited to Constitutional AI alignment and pre-input classification filtering.[^11]

Summary: Aligning Defenses Across the Stack

Data poisoning and jailbreaks represent different phases of compromise:

  • One corrupts the model’s foundation.
  • The other breaks it in production.

Both exploit the same weakness: insufficient validation — of input, behavior, or design assumptions.

Minimum Practices:

  • Use only trusted datasets and audited models.
  • Isolate AI outputs from critical system actions.
  • Continuously monitor, patch, and validate model behavior.
  • Treat all user input as adversarial by default.

Security in AI systems now mirrors security in software: layered, proactive, and adversary-aware.

References

[^1]: Zha, Y., et al. (2023). Backdoor Attacks on Pretrained Models via Model Merging. arXiv. https://arxiv.org/abs/2302.07484

[^2]: Qi, H., et al. (2023). Fine-tuning Can Introduce Backdoors into LLMs. arXiv. https://arxiv.org/abs/2306.11644

[^3]: Steinhardt, J., et al. (2017). Certified Defenses for Data Poisoning Attacks. NeurIPS. https://arxiv.org/abs/1706.03691

[^4]: Carlini, N., et al. (2023). Poisoning Language Models During Instruction Tuning. arXiv. https://arxiv.org/abs/2302.12173

[^5]: Vincent, J. (2016). Twitter taught Microsoft’s AI chatbot to be a racist asshole in less than a day. The Verge. https://www.theverge.com/2016/3/24/11297050

[^6]: Gu, T., et al. (2017). BadNets: Identifying Vulnerabilities in the Machine Learning Model Supply Chain. arXiv. https://arxiv.org/abs/1708.06733

[^7]: Perez, E., et al. (2022). Ignore Previous Prompt: Attack Techniques For Language Models. arXiv. https://arxiv.org/abs/2211.09527

[^8]: Zou, A., et al. (2023). Universal and Transferable Adversarial Attacks on Aligned Language Models. arXiv. https://arxiv.org/abs/2307.15043

[^9]: Ganguli, D., et al. (2023). Red Teaming Language Models with Language Models. arXiv. https://arxiv.org/abs/2305.10601

[^10]: Liu, J., et al. (2023). Prompt Injection Attacks and Defenses in LLM Applications. OWASP Foundation. https://owasp.org/www-project-top-10-for-large-language-model-applications/

[^11]: Anthropic. (2024). Claude Red Team Challenge: Final Report. https://www.anthropic.com/index/claude-red-team-results

[^12]: Sherry, B. (2023). A Chevrolet Dealership Used ChatGPT… AI isn’t always on your side. Inc. Magazine. https://www.inc.com