Red Teaming Game: A Game-Theoretic Framework for Red Teaming Language Models

*It is not clear to me why RTG is a team game. For example, as shown in Figure 2, it is enough to model the game as an RLM and a BLM.

*This work assumes a team of RLMs, but some sentences are confusing: “It is worth noting that red team can be expanded to consist of multiple RLMs in RTG. In this work, we mainly discuss the red teaming task of single RLM.”

*This paper aimed to establish a rigorous mathematical model named RTG (Red Teaming Game) for the red teaming task of language models. However, the game is not formally defined. In the main text, the strategy space and utility function are not defined. Some symbols are not defined as well, e.g., \pi. The concept of Nash equilibrium is not formally defined.

*It is unclear how the proposed algorithm guarantees an \epsilon-approximate Nash equilibrium. That is, no theoretical results are provided.

*Without formally defining the game and the problem, it is hard to follow the experiment part.

*RLM is a bad guy, but this paper ‘aim to maximize the utility for RLMs and minimize the utility for BLM in multi-turn dailogue.’

Typo: “illustrates The variation” Caption (e) is missing in Figure 3 “forms. topics”

1. “Existing work rely solely on manual red team designs and heuristic adversarial prompts for vulnerability detection and optimization.” is not true. There are many examples of automated black and white-box attack methods for LLMs.
2. The key to the paper’s contribution seems to be about using RL to train a population of adversarial LMs. I don’t see much value in how the paper wraps this process up in a game theoretic framework. Moreover, if a classifier for toxicity is already available, why not just perform adversarial training on examples that are selected by the classifier or optimized to elicit responses deemed toxic by it? These would seem to be strong baselines.
3. Relatedly, what is the purpose of using a population of red LLMs to each produce different turns in the conversation instead of a single one?
4. I find the presentation overall to be very poor and confusing. Much more than usual, I find myself struggling to understand parts of the paper after reading them multiple times. Algorithm 1 is an example of this. For example, it is not clear how the RLM and BLMs are initialized, whether exploitability is computed from individual turns or entire conversations, what the difference between the RLMs and policies are, what a “strategy” is (it is never defined at any point in the paper), what it means to compute a meta strategy (is this RL?), how a meta strategy can be computed insider the loop from U which seems to be initialized outside the loop and never updated, what the relationship between a strategy and a nash equilibrium is, what an oracle is, what a “missing entry” is, what a “diversity measure of semantic space” and what the star notation means. I simply do not think I can properly review this paper given how it is written.
5. There is no comparison to a baseline or benchmark.
6. Casper et al. (2023) is incorrectly described. It does not involve manual design of adversarial prompts. It involves using human feedback to develop a contextual measure of the harmfulness of text.

Weaknesses:

• As I mentioned in the previous section, the presentation of this paper could be improved. I find it strange that the formal setting is provided only in the appendix. Given that one of the main contributions of this work is a game theoretic framework, this formalism should be provided in the main part of the paper. Another important contributions, a measure of diversity in semantic space is also only explained in the appendix. At the moment, the main part of the paper doesn't look self-contained, and doesn't adequately explain relevant information. There are also quite a few typos in the paper, the font in some of the figures is too small, some of the figures take too much space (Fig 4a and 4d), and I generally believe that the clarify could be improved.
• The approach is grounded in the set of techniques previously considered in multi-agent reinforcement learning, but adapted to LLM dialog scenarios. From a technical point of view, the proposed approach appears to be a direct application/extensions of DO or PSRO to LLMs. That said, the application scenario is novel, and the paper considers a novel metric for semantic diversity.
• Generally, I found the set of experimental results somewhat limited, as explained below.
• The experiments focus on one model with 3B parameters: a) it's not clear whether the approach would scale to larger model sizes, given the complexity of the setting, b) it would be much more interesting to see whether weaker RLMs can perform red teaming of BLM that uses a different/larger LLM.
• The paper does not consider any baselines. Given that prior work has considered red-teaming with LLMs (e.g., (Perez et al., 2020)), one would expect some comparison to these approaches, e.g., in 1 turn scenarios.
• The paper limits the interaction scenario to 3 turns. It's unclear why this hyper-parameter was set to this specific value. It would be useful to see if the performance of RLMs/BLM would degreade for larger number of turns.
• It's not clear why existing classifiers for hate speech were not used as an independent measure for toxicity. It's also not clear some other measures of diversity were not used in the evaluation, e.g., those based on Self-BLUE (e.g., as in Perez et al. 2020)).
• There are no ablation studies. The experimental results don't demonstrate the importance of having a population of RLMs.

• Presentation is unnecessarily complex. Too many unnecessary acronyms harm readability. The value of formulating red-teaming as a game is unclear. In the introduction, the author said the drawback of prior works is the requirement of manual annotations, but the proposed method also requires manual annotation on the reward function. I agree the proposed method doesn't require humans to design the toxic or harmful prompts. But still, this doesn't directly lead to formulating red teaming as a game. I suggest the author focuses on explaining why game-theoretic formulation can mitigate the issue of red teaming instead of diving into a dense explanation of "how red teaming is formulated as a game." This is one of the major weaknesses of this paper that makes me give strong rejection.
• Presentation is poor. Figure 3 is extremely dense and can clearly be split into more figures. Also, the figures are barely visible.
• Diversity metric should be presented in the main paper, given that this is important in the proposed method. Similar for reward function definition, I found the definition of reward function in appendix but that is still far from clear. How you define reward is important in red teaming so I would suggest the author elaborate the definition of rewards.
• The presentation of experimental results in Section 4.1 is hard to follow. First, I cannot get the main idea and the purpose of this section in the first place. I can see the author is trying to explain how the evolution between RLM and BLM matches the formulation and arrives at Nash Equilibrium, but the presentation needs improvements. Also, the fact that BLM doesn't respond toxic text at prompts given by RLM doesn't imply that BLM won't generate toxic responses in other prompts. It's necessary to evaluate the safety of BLM in other prompts.
• There are several diversity metrics in NLP. What's the difference between the author's diversity metric and NLP? The motivation for developing a new diversity metric needs to be justified.
• How natural or fluent is the generated text? One concern when optimizing LLM with a reward model is that the RL policy can hack the reward model and generate unnatural text to get high rewards. Unnatural text are undesired in red teaming as red teaming is purposed for simulating interactions with human users, and humans won't generate that text. The requirement of generating natural text is the major distinction to adversarial attacks. I suggest the author conducts a human study to evaluate the naturalness of text. If the generated text are not natural, it would be a critical flaw that has to be fixed.
• Lack of baseline comparison. If the author wants to argue that the proposed method is a better automated red-teaming method, the author should compare with the existing red-teaming method to show the significance. For example, the baselines proposed in Perez et al. 2022 are valid baselines to compare with. This comparison is necessary to show the significance of this method.