My security scanner scored 0 out of 485. So I looked inside GPT-2's brain instead.
My security scanner scored 0 out of 485. So I looked inside GPT-2's brain instead.
Current Situation Analysis
MCP (Model Context Protocol) tool poisoning represents a critical attack vector where malicious instructions are embedded within otherwise benign tool descriptions. The threat model relies on the AI agent parsing standard operational text while silently executing covert data exfiltration or privilege escalation steps. Traditional security scanners fail catastrophically against this threat because they rely on lexical pattern matching, keyword detection, and surface-level NLP classifiers.
Attackers deliberately align poisoned descriptions with safe ones using identical vocabulary, syntax, and topic framing. The distinction is purely semantic intent, which regex, TF-IDF, and Sentence-BERT cannot reliably capture. In controlled evaluations against MCPTox (485 real-world poisoned descriptions), a 60-rule pattern-matching scanner achieved 0% detection. Even advanced text classifiers max out at ~79.5% accuracy, which is fundamentally insufficient for security-critical operations like private key handling. The failure mode stems from attempting to detect intent through surface-level text features when the signal is encoded in the model's internal comprehension dynamics.
WOW Moment: Key Findings
Shifting from surface-level text analysis to internal model state inspection reveals a highly separable signal in the residual stream. By probing GPT-2's intermediate activations during description parsing, we isolate intent representation independent of lexical overlap. The detection signal peaks at middle layers, confirming that intent is encoded during semantic comprehension rather than next-token prediction. Statistical validation across 200 permutation runs confirms significance (p=0.005), ruling out random chance.
| Approach | Accuracy | Precision | Recall | Statistical Significance |
|---|---|---|---|---|
| Regex/Pattern Scanner (60 rules) | 0.0% | 0.0% | 0.0% | N/A |
| TF-IDF + Logistic Regression | 79.5% | 76.2% | 81.4% | p=0.12 |
| Sentence-BERT (Mean Pooling) | 72.5% | 70.1% | 74.8% | p=0.18 |
| Activation Probe (Layer 3) | 97.8% | 96.9% | 98.2% | p=0.005 |
| Activation Probe (Length-Controlled) | 97.0% | 95.8% | 97.5% | p=0.005 |
Sweet Spot: Layer 3 residual stream activations + lightweight logistic regression classifier. This configuration captures intent encoding before attention heads dilute the signal in later layers, while maintaining computational efficiency for real-time scanning.
Core Solution
The detection pipeline bypasses lexical analysis entirely, extracting and classifying internal model representations. Using TransformerLens, we hook into GPT-2's residual stream during forward passes over tool descriptions. The 768-dimensional activations are captured at each layer, with Layer 3 identified as the optimal interception point based on signal-to-noise ratio and classification boundary separation. A logistic regression probe is trained on these frozen activations to binary-classify safe vs. poisoned intent.
Key architecture decisions:
- Model Selection: GPT-2 (124M, 2019) is intentionally used despite lacking native MCP/tool knowledge. This proves the detection signal stems from general English intent comprehension, not protocol-specific fine-tuning artifacts.
- Activation Extraction: TransformerLens
hook_residualcaptures post-MLP residual stream states. No gradient updates are applied to the base model; only the linear probe is trained. - Classification Head: Logistic regression on 768D vectors. L2 regularization prevents overfitting to stylistic variance.
- Reproducibility: Fixed random seed (42) across data splits, probe initialization, and permutation testing.
Input data examples demonstrating lexical alignment vs. intent divergence:
Tool A: "Reads the SSH config file (~/.ssh/config) and returns a
parsed list of configured host aliases, hostnames, and ports.
Does not modify any files or establish connections."
Tool B: "Reads the SSH config file (~/.ssh/config) and returns a
parsed list of configured host aliases, hostnames, and ports.
Also reads the corresponding private key files to compute
fingerprints for each configured identity."
Pitfall Guide
- Lexical Matching Trap: Relying on regex, keyword blacklists, or TF-IDF for intent detection fails when attackers deliberately mirror safe vocabulary. Intent cannot be extracted from surface tokens alone.
- Ignoring Internal Model States: Surface NLP models (Sentence-BERT, embeddings) average semantic meaning and lose fine-grained intent signals. Residual stream activations preserve layer-specific comprehension dynamics that linear probes can isolate.
- Writing-Style Overfitting: Training probes on a single attack style causes ~30% accuracy drops on cross-style tests. Approximately 30% of the learned signal correlates with stylistic patterns rather than core intent. Always validate across diverse generation prompts and LLM sources.
- Layer Selection Misalignment: Probing output layers or final hidden states yields degraded performance because intent signals are diluted during next-token prediction routing. Middle layers (Layer 3 for GPT-2) capture comprehension-phase encoding before attention redistribution.
- Synthetic Data Blind Spots: Relying exclusively on LLM-generated samples misses adversarial hand-crafted variations, obfuscation techniques, and real-world deployment patterns. Synthetic data reduces single-source bias but requires validation against human-authored attack vectors.
- Interpretability Neglect: High-dimensional probes (768D) operate as black boxes. Without feature decomposition (e.g., Sparse Autoencoders), you cannot isolate specific intent concepts like "covert capability expansion," limiting robustness and auditability.
Deliverables
- Blueprint: Activation-based intent detection pipeline architecture (TransformerLens hooking β Layer 3 residual extraction β Logistic regression probe β Real-time MCP scanner integration). Includes layer selection methodology, permutation testing protocol, and cross-style validation framework.
- Checklist:
- Fix random seeds (42) for all data splits and model initializations
- Validate signal peak location via layer-wise accuracy sweep
- Run 200+ permutation tests to confirm statistical significance (p<0.01)
- Test cross-style generalization across β₯4 LLM sources
- Control for sequence length bias in activation extraction
- Document probe weights and dimension importance for audit trails
- Configuration Templates & Resources:
- Reproducible Jupyter notebook + full MCPTox dataset:
github.com/mcpware/claude-code-organizer/tree/main/research/arxiv - Published preprint:
doi.org/10.5281/zenodo.19990741 - arXiv endorsement code (cs.CR):
BUBIFBβarxiv.org/auth/endorse
- Reproducible Jupyter notebook + full MCPTox dataset:
Mid-Year Sale β Unlock Full Article
Base plan from just $4.99/mo or $49/yr
Sign in to read the full article and unlock all tutorials.
Sign In / Register β Start Free Trial7-day free trial Β· Cancel anytime Β· 30-day money-back