Dependable Artificial Intelligence with Reliability and Security (DAIReS): A Unified Syndrome Decoding Approach for Hallucination and Backdoor Trigger Detection

Machine Learning (ML) models, including Large Language Models (LLMs), are characterized by a range of system-level attributes such as security and reliability. Recent studies have demonstrated that ML models are vulnerable to multiple forms of security violations, among which backdoor data-poisoning attacks represent a particularly insidious threat, enabling unauthorized model behavior and systematic misclassification. In parallel, deficiencies in model reliability can manifest as hallucinations in LLMs, leading to unpredictable outputs and substantial risks for end users. In this work on Dependable Artificial Intelligence with Reliability and Security (DAIReS), we propose a novel unified approach based on Syndrome Decoding for the detection of both security and reliability violations in learning-based systems. Specifically, we adapt the syndrome decoding approach to the NLP sentence-embedding space, enabling the discrimination of poisoned and non-poisoned samples within ML training datasets. Additionally, the same methodology can effectively detect hallucinated content due to self referential meta explanation tasks in LLMs.

💡 Research Summary

The paper introduces DAIReS, a unified framework that leverages syndrome decoding—originally from linear block error‑correcting codes—to detect both backdoor data‑poisoning attacks and hallucinations in large language models (LLMs). The authors adapt the syndrome concept to the NLP sentence‑embedding space by first encoding sentences with a Sentence‑BERT‑mpnet model, then applying a generator matrix G and a parity‑check matrix H. In a clean dataset, the parity condition H·xᵀ = 0 holds, yielding a zero syndrome. When a backdoor trigger is present in the training data, or when an LLM produces semantically degenerated output (e.g., during self‑referential meta‑explanation tasks), the parity condition is violated and a non‑zero syndrome is produced, flagging the sample as malicious or hallucinated.

The experimental evaluation is split into two parts. For backdoor detection, the authors poison six datasets (SST‑2, Jigsaw Toxicity, trolling hate‑speech, FakeNews, Forest Cover, and US Adult Census) with static text triggers, paraphrase‑based triggers (generated via a T5 model), and numeric triggers for tabular data. Poisoning ratios range from 5 % to 15 %. Across all settings, the syndrome‑decoding approach achieves >95 % detection accuracy, outperforming several recent defenses that require either extensive retraining or domain‑specific heuristics. The method also works for both static and dynamic (paraphrase) triggers, demonstrating robustness to lexical variation.

For hallucination detection, the authors craft self‑referential meta‑explanation prompts that ask the model to explain its own reasoning while performing a downstream NLG task. Such prompts are known to cause LLMs to generate incoherent, “hallucinated” text. The generated outputs from five state‑of‑the‑art LLMs (Claude Sonnet 4.5, ChatGPT 5.2, Gemini 3, Microsoft Copilot, and Perplexity AI) are passed through the same embedding‑parity pipeline. Non‑zero syndromes correlate strongly with human judgments of semantic degeneration, and the approach detects hallucinations that standard factuality or faithfulness metrics miss. This demonstrates that syndrome decoding captures structural anomalies in the latent space rather than surface‑level token mismatches.

Key contributions claimed by the authors are: (1) a novel unified syndrome‑decoding methodology that simultaneously addresses security (backdoor) and reliability (hallucination) concerns; (2) extensive cross‑domain validation on both text and tabular datasets, covering multiple trigger types; (3) successful application to a diverse set of modern LLMs for hallucination detection. The paper argues that both backdoor vulnerability and self‑referential hallucination stem from a lack of causal inference in current models, and that the common algebraic framework can remediate both.

Despite its originality, the work has several limitations. First, the approach relies on a fixed sentence‑embedding model; if that model itself is compromised or biased, syndrome computation may become unreliable. Second, the backdoor experiments focus on relatively simple triggers; more sophisticated, context‑dependent triggers (e.g., semantic or multimodal triggers) are not evaluated. Third, the hallucination detection component lacks a clear definition of the syndrome threshold and does not provide a thorough ablation of how different embedding dimensions affect sensitivity. Fourth, computational overhead is not discussed—syndrome calculation involves matrix multiplications that could be costly for very large corpora or real‑time inference. Finally, reproducibility suffers from missing code and hyper‑parameter details, especially for the parity‑check matrix construction.

In summary, DAIReS presents an intriguing algebraic perspective on two pressing AI safety problems, offering a single detection pipeline that works across modalities and model families. The experimental results are promising, but further work is needed to assess robustness against advanced attacks, to optimize computational efficiency, and to provide open‑source implementations for the community.