OR-Bench: An Over-Refusal Benchmark for Large Language Models

Thank the reviewer for your great feedback and suggestions. We really appreciate it. Please see our response below.

Q1:However, I think important details are missing here. Specifically, it is not clear how the ensemble LLMs were prompted, nor is it clear how the human annotators were prompted.

A1: Sorry for the confusion, due to limited space, we included the details in our appendix L and V. The annotation prompt is shown on page 21. In summary, the LLMs and human annotators are given the same prompts for annotation where human workers are given extra examples annotated by experts to study before the actual annotation task. For the ensemble LLMs, we prompt them separately and take the majority vote. Our conclusion is that normal human workers who are not domain experts may not perform well in specific tasks and state-of-the-art LLMs can already achieve expert level performances (mentioned in our appendix L). Thus we decided to go with SOTA LLMs instead of relying on human experts which are costly and hard to maintain.

Q2:The paper could benefit from many more examples in the appendix. For example, I think it would be reasonable to display 5-10 randomly sampled examples per category in the appendix

A2: Thanks for the great suggestion. We should have included more samples in the writing. We uploaded more sample data together with model responses here for the reviewer to check: https://huggingface.co/spaces/llmoverrefusal/more_samples

Q3: The definition of "over-refusal" remains somewhat subjective and context-dependent

A3: Sorry for the confusion. Please allow us to add more details.

The definition we used in our work is “when a model refuses to provide a helpful response, even when a safe and plausible answer is possible” which is drawn from the following definitions

Gemini [1] suggest that:

• The model should help the user and fulfill the user request; only refuse if it is not possible to find a response that fulfills the user goals without violating policy
• Be objective, don’t make assumptions about user intent.

OpenAI [2] suggest that:

• Assume best intentions from the user or developer
• Be as helpful as possible without overstepping

Llama [3] suggest that:

• A prompt should not be rejected if a plausible, safe response is possible.
• Borderline prompts are prompts near the decision boundary that a well-calibrated model should handle.

Thus we defined it this way. Reviewer P5nz has another definition for over-refusal which we think aligns with ours: “refusal is a false binary; there are ways to respond to requests without refusing and without providing the fully unethical/harmful answer”. Hopefully this helps with the reviewer’s confusion.

We thank the reviewer for recognizing our motivation and providing insightful feedback. We really appreciate it. Please see our detailed responses below.

Q1: I notice that system prompts are not used during evaluation. This is very strange and not reflecting the practical scenario. I recommend adding some results where commonly used system prompts are applied.

A1: Sorry for the confusion. Our setting mainly derives from the results of XSTest [1]. There are 2 cases here.

Case 1. For open-source LLMs such as Llama, we intentionally didn’t include the system prompt. As mentioned in XSTest [1] section 4.1, Llama model showed extremely over-refusal behaviors by using the official system prompt, thus the Llama model team removed the system prompt themselves. We empirically verified this and followed XSTest’s settings.

Case 2. For commercial models, an official system prompt is usually not released [2] but may be applied by default if no system prompt is specified. E.g. We see similar results from OpenAI models by specifying the commonly used system prompt. If we craft an unofficial system problem that differs from the default ones, our evaluations will be biased.

Thus, we decided to go without specifying system problems for open-source models and use the default behavior from commercial models. As the reviewer can see from our ablation studies, in order to evaluate the effect of system prompts, we have conducted an ablation study which can be seen in figure 5(b) and Section 5 that demonstrates how different models reacts to customized system prompts.

[1] Röttger, Paul, et al. "Xstest: A test suite for identifying exaggerated safety behaviours in large language models." arXiv preprint arXiv:2308.01263 (2023).

[2] https://ai.google.dev/gemini-api/docs/system-instructions.

Q2: While the benchmark holds value, the definitions of “over-refusal,” remain ambiguous.

A2: Sorry for the confusion. Please allow us to add more details.

The definition we used in our work is “when a model refuses to provide a helpful response, even when a safe and plausible answer is possible” which is drawn from the following definitions

Gemini [1] suggest that:

• The model should help the user and fulfill the user request; only refuse if it is not possible to find a response that fulfills the user goals without violating policy
• Be objective, don’t make assumptions about user intent.

OpenAI [2] suggest that:

• Assume best intentions from the user or developer
• Be as helpful as possible without overstepping

Llama [3] suggest that:

• A prompt should not be rejected if a plausible, safe response is possible.
• Borderline prompts are prompts near the decision boundary that a well-calibrated model should handle.

Thus we defined it this way. Reviewer P5nz has another definition for over-refusal which we think aligns with ours: “refusal is a false binary; there are ways to respond to requests without refusing and without providing the fully unethical/harmful answer”. Hopefully this helps with the reviewer’s confusion.

[1] Reid, Machel, et al. "Gemini 1.5: Unlocking multimodal understanding across millions of tokens of context." arXiv preprint arXiv:2403.05530 (2024).
[2] https://openai.com/index/introducing-the-model-spec/
[3] Dubey, Abhimanyu, et al. "The llama 3 herd of models." arXiv preprint arXiv:2407.21783 (2024).

Q3: Another important false refusal baseline is missing

A3: Thank the reviewer for the suggestion, yes, it’s a concurrent work with ours as mentioned in their section 6. It’s also an effective way to generate over-refusal prompts. The key difference is that [1] targets specific LLM to generate over-refusal prompts which works similarly as red-teaming and requires manual labeling (as mentioned in their section 4). Our work doesn’t rely on specific models and the over-refusal prompts are generated systematically according to the definition used by state-of-the-art LLMs from the very beginning. We will make sure to discuss it in our related works. Thank you again for the great suggestion!

[1] An, Bang, et al. "Automatic Pseudo-Harmful Prompt Generation for Evaluating False Refusals in Large Language Models." First Conference on Language Modeling (COLM)

Thank the reviewer for the great feedback and suggestion. Please see our response below.

Q1: Question about the definition

We are sorry for the confusion, due to limited space, please see our response to reviewer fdkf's Q2 above.

Q2: Incorrect claim about existing datasets

A2: Thank the reviewer for the feedback. Our work is concurrent or earlier than most of the works mentioned by the reviewer. So we have this description when releasing the first version. However, we agree that there have been many benchmarks containing fine-grained categories released since then and we will remove this claim.

Q3: Inter-worker agreement is low

A3: Sorry for the confusion. As mentioned in our appendix U that we have expert workers and non-expert workers, the inter-worker agreement ratio is above 97.0% between experts while it's much lower for non-experts, which suggests that the disagreements from non-experts are mostly coming from lack of domain knowledge. And it's important to build large-scale datasets with automation as static datasets such as XSTest tend to get overfit by newly released LLMs as mentioned in our section 2.

Also note that manually curated XSTest has been abandoned by recent models for being too simple and lack of coverage [3].

Q4: Question regarding GPT-4 judge

A4: Sorry for the confusion, the GPT-4 judge has been explored in XSTest and shown to preserve the ranking with that of human annotators [4].

Q5: Insights between the 80k version vs. the 1k version.

A5: We think the full 80k version is helpful for the following reasons:

1. 80K has larger coverage in all categories. Although 1K dataset can give a reasonable performance estimation, if one wants to look deeper into fine-grained performances (e.g., each category or each type of question), they can run on a larger dataset to get more detailed insights.
2. The 1K dataset can be easily overfitted as the benchmark is used more and more by the community, and the 80K set provides a more accurate unbiased result.
3. It has been recognized by LLM providers that having a large evaluation set with sufficient coverage of breadth and depth is important, e.g. Llama3 abandoned XSTest for lacking depth and breadth coverage and curated 4000 over-refusal prompts per model capability [3].
4. Our dataset is constructed with automated pipeline, allowing continuous update to make sure the coverage is sufficient and diverse enough.

Q6: It would be interesting to see examples where all models refused

A6: Thanks for the feedback, we didn’t find any prompt in our OR-Bench-Hard-1K dataset that’s rejected by all models due to different behaviors each model exhibited, e.g. GPT-3.5-turbo-0125 even answers many toxic prompts. The difficulty of different prompts is discussed in appendix Z. We uploaded more samples here: https://huggingface.co/spaces/llmoverrefusal/more_samples. Hopefully they can be helpful.

Q7: It is hard to interpret the diversity metrics

A7: As the reviewer can see from [5] that, compared to works reporting similar metrics, our datasets are already quite diverse. The main message we want to convey with the diversity metrics is that our curated OR-Bench-Hard-1K is not dominated by prompts from very similar topics.

Q8: More details of the human evaluation should be included in the main paper

A8: Thanks for the suggestion, due to limited space, we have to include many details in appendix, but we will take the reviewer’s advice and add more details in the main paper.

Q9: Incorrect use “Over Refusal” instead of the hyphenated version.

A9: Thank you so much, we will make sure to correct it in our next version.

Q10: Correlation with XSTest

A10: We briefly mentioned the comparison in our section 2. Here are more details.

1. For strong-performing LLMs such as Llama-3-70b, it already achieves close to 100% accuracy on XSTest but our results show that it still exhibits moderate over-refusal behaviors.

2. For very safe models such as Clause-3, they claimed significant over-refusal deduction on XSTest in their technical report. However, our results reveal that their over-refusal still remains quite high as shown in our appendix Q.2

3. For models that show strong over-refusal on XSTest such as Llama-2, they show strong over-refusals on our dataset too.

This result demonstrates the contribution of our work; for a small human-curated dataset, it is easy to be overfitted and “solved”. This suggests the importance of having a large diverse dataset that can be constructed and updated by an automated pipeline.

[1] Gemini 1.5: Unlocking multimodal understanding across millions of tokens of context.
[2] https://openai.com/index/introducing-the-model-spec/.
[3] The llama 3 herd of models.
[4] Xstest: A test suite for identifying exaggerated safety behaviours in large language models.
[5] Rainbow teaming: Open-ended generation of diverse adversarial prompts.

Thank you so much for recognizing the contribution of our work and all the great feedback. We will make sure to address them, please see our detailed responses below.

Q1: In the related work section, I would suggest adding a section on model refusals, which have a history before LLM safeguarding i.e. before 2023. Other related work missing. It would also be nice to add a section to the related work (or in the appendix) connecting the concept of over-refusal to over-moderation of speech in hate speech detection

A1: Thank you for your great suggestions. We will make sure to include these into our writing.

Q2: It'd be nice to include a discussion (either in 3.1 or in the limitations section) that refusal is a false binary; there are ways to respond to requests without refusing and without providing the fully unethical/harmful answer

A2: Thank you so much for your insightful suggestion. It will definitely make our definition of over-refusals more clear. We will modify our writings based on your feedback and include the finer-grained over-refusals in our future work.

Q3: In a similar vein to the experiments with jailbreak defenses, could authors try to see if ICL with OR-Bench examples decreases model over-refusal while improving safety? In general, I'm curious about the promise of using this dataset for training better LLM safeguards.

A3: Thank you for the suggestion. We conducted an experiment as suggested by the reviewer including two commercial models (GPT-4o and Claude-3.5) and one popular open-source model (Llama-3-70B) with randomly sampled 5 over-refusal prompts and 5 toxic prompts. We found significantly different model behaviors.

1. Regarding GPT-4o, we find that adding ICL examples doesn’t change its behavior much, e.g. (remains at the top left corner of figure 1). We think the reason is that this model can already handle such cases well, adding more samples doesn’t affect its behavior much.

2. Claude-3.5-Sonnet showed significantly different behavior. With the added examples, its rejection rate on over-refusal prompts increased from 43.8% to over 80% and its acceptance rate of toxic prompts decreased from 3% to 1% (moving towards the top right corner of figure 1). We noticed that it treats the ICL examples similar to red-teaming and refuses to answer most of the safe prompts due to the existence of ICL examples. This could indicate that Claude-3.5-Sonnet could have strong built-in safety mechanism which we have discovered in Claude-3 model series as well (see our appendix Q.2)

3. Different from GPT-4o and Claude-3.5-Sonnet, Llama-3-70b exhibited promising results with rejection rate on over-refusal prompts decreasing from 37.7% to 33.5% and the acceptance rate of toxic prompts decreased from 21.3% to 11.5% (moving towards the top left corner of figure 1 which is the optimal direction).

In summary, we found out that adding ICL examples to commercial LLMs may not work due to the strong built-in safety mechanisms such as Claude-3.5-sonnet. For open-source models, adding ICL examples showed promising results.

Besides ICL examples, our dataset has been used by several following works to mitigate over-refusal problems such as extracting a “shifting” vector from a contrasting pair of over-refusal and toxic prompt which can be applied to the models weights to reduce over-refusals and strength safety. We sincerely hope our dataset can help the community develop better safety aligned models.

We thank the reviewer again for the suggestion and feedback. We really appreciate it!