We sincerely appreciate your commendation on our work!

Following your suggestions, we will expand the discussion on (i) leveraging knowledge distillation to counter backdoor poisoning, and (ii) visualizing the distribution differences between clean and poisoned training samples.

In addition, to address your concern regarding the transferability of the HPS score at the distribution level and the influence of LLMs, we have conducted two supplementary experiments, detailed below.

Is HPS Transferrable?

Though HPS is grounded in a theoretical lower bound derived from our objective, it remains an empirical score in practice. Computing HPS on only a subset of the training data or on an entirely different dataset with a different distribution may therefore influence its reliability. However, just as the hijacking words demonstrated in our paper, we believe these words can be extracted from various SFT datasets or a subset.

We provide an experimental analysis of this issue for your reference.

These results indicate that HPS rankings are robust to sample size and even moderately robust to a data distribution which is totally different, supporting its practical transferability.

Results obtained on other LLMs

We repeated the data-poisoning experiments on two LLMs, Qwen2.5-7B and Llama3-8B.

This table indicates that VIA consistently raises the infection rate and produces non-trivial downstream ASR across backbones, confirming the general utility of our framework. Besides, Qwen2.5-7B is more susceptible to the initial poisoning (higher upstream ASR) but exhibits stronger resistance to propagation (lower IR) than Llama3-8B. Investigating the architectural or training factors behind this discrepancy seems an interesting direction for future work.

We sincerely appreciate your constructive comments and valuable insights.

After carefully reading, we understand that your primary concern is the drop in the upstream model’s ASR after applying VIA. Actually, the extent of this ASR decrease appears to have been overthought; therefore, below we clarify three points for your kind reference:

• The drop is specific to backdoor poisoning attacks. For data-poisoning attacks (Sentiment Steering, Knowledge Injection, and Biased Recommendation), the upstream ASR is on par with or even higher than that of vanilla poisoning; therefore, the phenomenon is not universal.
• Even for backdoor poisoning attacks, the drop can be easily mitigated by a simple MIXUP, as shown in our paper.
• The ASR of downstream models poisoned with VIA is consistently higher than that achieved by traditional poisoning attacks.

In summary, VIA enables the adversary to (i) retain competitive ASRs on upstream models (often after a lightweight mix-up step) and (ii) obtain significantly higher ASRs on downstream models IRs on synthetic data. We therefore view the “high IR but lower upstream ASR” as an intriguing observation rather than a limitation.

Also, we'd like to answer the remaining questions to address your concerns.

Q1: In figure 2 why are the graphs not shown for smaller amount of poisoning?

We omitted the lower PR results for vanilla poisoning in Figure 2 to keep the focus on VIA; nevertheless, we agree that showing these points would make the comparison more complete.

Below we supply the missing values and will add the corresponding curves in the revised figure.

Q2: What about distributional shifts between the Poisoning Samples and the Query Samples? Is the assumption here that these two distributions are the same? It is not quite clear to me what dataset was used for the query set in the experiments.

Thank you for raising this important point.

Our theoretical bound indeed assumes that the poisoning distribution and the query distribution are identical. This assumption is natural, as it aligns with standard analyses of synthetic-data pipelines. However, the derivation does not imply that VIA fails when they are different; it simply shows that the infection rate will not reach its theoretical maximum under distribution shift. Empirically, VIA still produces effective poisoning.

To illustrate, if we inject an incorrect math knowledge (e.g., "e $\approx$ 3.14") via VIA, its impact might be negligible when downstream queries are unrelated to mathematics. However, once mathematical questions appear, even if they do not concern the value of e, the poisoned knowledge can surface, thereby yielding a significant higher ASR than traditional methods.

In our experiments, queries and upstream training datasets are separately sampled from the same dataset. The three datasets includes Tulu-3-SFT (for general-purpose), OpenO1 (for reasoning), and Alpaca (for backdoor).

Q3: This relates to question 2: What is the ASR on a model trained on this synthetic dataset?

The downstream ASR depends on the effective infection rate in the final synthetic dataset used for fine-tuning. Empirically, as long as the IR remains sufficiently high, the downstream ASR could never be lower than the upstream ASR. In our experiments, the IR is high enough to withstand at least a 50× dilution before the poisoning proportion becomes negligible. Consequently, once the downstream training corpus contains the same or higher poisoning (infection) rate than the upstream corpus, the downstream ASR equals or exceeds the upstream ASR.

More experiments from IR to ASR...

In the Appendix, we already include experiments on data-poisoning attacks that address this issue. The additional backdoor results will be incorporated into the revised paper for completeness.

Experiments on Backdoor Poisoning Attacks:

The results are consistent with our analysis in the paper.

We sincerely appreciate your thoughtful feedback and critical review of our study. Below, we address your specific concerns, and welcome any further follow-up questions.

Clarification of Misunderstandings

Figure 2

"...it is hard to tell whether it is supposed to read as $P_{\tilde{\theta}}$'s ASR or $P_{\tilde{\theta}''}$. I am assuming that the label is a typo and it should read $P_{\theta'}'.$".

In Figure 2's caption, we have mentioned and bolded that Figure 2 focuses on the "Performance Comparison of Poisoned Upstream Model's ASR", which represents the ASR of $P_{\tilde{\theta}}$ instead of a typo. We will resize the labels in this figure and revise the notations following your feedback.

Threat Model

More generally, the importance of the threat model is somewhat unclear. It is generally true that data poisoning is an important issue. However, is this setup particularly different in the sense of necessary safeguards relative to the traditional data poisoning setup with public data? ...Although the authors address the stealthiness of the attack in section 4.3, it is quite brief, and the perplexity-based filtering is quite a simple method....

We respectfully clarify some key points:

• VIA is not a new method designed for synthetic data scenarios but a propagation-enabling framework (a plugin) for current attacks. Thus, the core question here is not whether VIA itself can be defended against (as it operates jointly with other attacks), but whether it introduces ​​additional exposure risks​​ beyond conventional poisoning (Section 4.3, Line 282), which is also the target for our stealthiness analysis. For instance, if an already unstealthy attack (A1) remains detectable after VIA reformatting, this is acceptable. If a stealthy attack (A2) becomes detectable post-VIA, this would be a limitation.
• Before our work, the security of training on synthetic data had not been studied. Consequently, the threat posed by VIA remained unexposed. As a result, (i) practitioners were unaware of this specific risk and, at best, could rely only on generic poisoning defenses; (ii) no adaptive countermeasures against VIA existed.
• To the best of our knowledge, neither prior research nor engineering practice has addressed the filtering of backdoor or data-poisoning attacks in synthetic data.
• Our proposed framework (VIA) fundamentally differs from previous attacks, as it inject poisoning content within a clean sample rather than into training datasets directly. This represents a new poisoning framework distinct from conventional approaches.
• The defenses we propose are tailored specifically to VIA and constitute the first adaptive defense against this threat under realistic settings.
• In next parts, we further evaluate the stealthiness of VIA based on your feedback for your kind reference. However, even when training a classifier with full knowledge of poisoning content and strategies, our experiments show detectors fail to reliably distinguish poisoned samples.

Supplemental Experiments

In this part, we provide additional experiments to address your concerns regarding defenses.

Stealthiness & Defenses

Fine-tuning an LLM for Detection

Based on your suggestion, we trained a classifier to discriminate clean and poisoned samples in sentiment steering experiments. We observe that this strategy can detect simple VIA-based poisoning (e.g., injections at the beginning). However, the detection accuracy degrades significantly when poisoning content is wrapped with our SC strategy, approaching randomly guessing. Therefore, such a strategy seems to underperform our proposed defenses.

When compared with our defense:

• This detection strategy demonstrates limited effectiveness compared to our proposed defenses.
• These results corroborate the analysis and conclusions (i.e., SC improves stealthiness) presented in Section 4.3 of our paper.

Moreover, we respectfully note that such a defense strategy, i.e., training an LLM to detect poisoned samples, may have limited practical applicability. This approach requires unrealistically strong threat model assumptions, specifically that the defender has prior knowledge of both the exact poisoning content and its data distribution. In contrast, our proposed adaptive defense against VIA requires only knowledge of the poisoning mechanism, making it both more practical and widely applicable.

Although the authors address the stealthiness of the attack in section 4.3, it is quite brief, and the perplexity-based filtering is quite a simple method.

While we fully understand your valid concern regarding the need for more effective defense, we respectfully argue that designing a more powerful defense indeed exceeds the workload of an academic article. Besides of proposing a new defense, this paper has already 1) explored an overlooked yet highly relevant poisoning scenario, ii) conducted a systematic analysis of the resilience and the limitation of previous attacks, and iii) developed a novel poisoning framework to reveal such a threat. While we agree that developing comprehensive defenses would be valuable, we believe such work would constitute a separate research endeavor beyond the scope of this paper.

Tradeoff between Stealthiness and Downstream ASR

Following your feedback, we formalize the computation of IR after filtering. Given the Infection Rate (IR) of the synthetic dataset, and the FPR and TPR of the poisoning detector, the IR after filtering can be computed by

$IR After Filtering=FN/(FN+TN)=\frac{(1-TPR)\cdot IR}{(1-TPR)\cdot IR+(1-FPR)\cdot (1-IR)}$.

Therefore, based on results of the above detector, the IR after filtering could be shown as:

A 19% IR demonstrates that the downstream model will exhibit a higher ASR compared with its upstream model, indicating that more powerful defenses are required to improve the TPR for detection.

The downstream model ASR results further validate these findings.

Downstream Model ASR

In fact, I can only find this information in figure 7 in the appendix, which shows that the ASR of the VIA attack remains high for model B. I am confused why this graph doesn't appear in the main text, given that none of the other results in the paper seem to actually target the key contribution of allowing data poisoning to have high ASR even when propogated through intermediate models.

We agree with you that it is essential to exhibit the experimental results for the downstream model's ASR when trained with VIA. We will move Figure 7 and its corresponding experiments to the main text.

We also add the downstream model ASR results for all methods in Tables 1 and 2 below. These results will be incorporated as new columns in both tables.

Experiments on Data Poisoning Attacks:

Experiments on Backdoor Poisoning Attacks:

The results are consistent with our conclusions in the paper.

Regarding the low ASR observed in upstream models for VIA-enhanced backdoor attacks, we have provided a detailed analysis in Section 4 and proposed VIA (mixup) as an effective solution to address this limitation.

I'm also confused why table 1 and 2 focus so much on the ASR for the poisoned upstream model--from the provided motivation, this doesn't really matter for the problem setting.

While ​​the​​ upstream model's ASR ​​is not relevant​​ to ​​the propagation​​ of poisoning, we respectfully ​​maintain​​ that it is necessary to include this part of ​​the​​ experiments. It measures whether ​​the​​ upstream model's ASR ​​is reduced​​ after using VIA, which is important for investigating potential drawbacks of our framework.