Enhancing Adversarial Robustness of LLMs with Analytic Hierarchy Process

R1: Inference costs.

A1: Thanks. Our method indeed increases inference costs compared with direct response to user input prompt. In general, one may either improve training-time alignment or inference-time alignment. Training-time alignment for LLMs is highly cost and hard to adapt to multiple attacks. Our method takes the inference-time alignment approach and is capable of adaptively defense against multiple attacks. As we do not increase training-time costs, and there is no free lunch for enhancing model robustness, it is inevitable to increase inference costs. However, our method can be used as a general and quick ad-hoc strategy to deal with new potential risks, and it can be promptly applied to any model.

Besides, we have analyzed the trade-off between inference costs and the effectiveness of robustness of our framework in Appendix F (Ablation Study). In the ablation experiment, we gradually removed reasoning steps. As the removal of reasoning steps led to an improvement in reasoning efficiency, the model's robustness gradually decreased. The discussion of inference cost is in Appendix C. We set the upper limit to 10 iterations, and all models successfully completed the test before reaching the iteration limit.

R2: Ablation

A2: Thanks for the valuable suggestions. Our comparative methods can be viewed as simplified versions of traditional methods, such as spell-check and Paraphrase, both of which attempt purification. We are not necessarily striving to achieve state-of-the-art performance in every subtask. Instead, our primary objective is to provide a robust and adaptable solution for adversarial defense. The effectiveness of our proposed method has been demonstrated through comparative experiments.

R3: Single type of noise

A3: Thank you for suggesting a more challenging validation scenario. Our current choice of validating each type of attack individually is mainly due to the consideration of representative attack methods, all of which utilize a single type of noise. If there are new mixed attack methods, we will add them to the supplementary experiments. Additionally, we manually tested several handwritten mixed noises (Adversarial Noises mixed with Automatic Gradient). Our method remains effective in manual tests, which is primarily due to our defense framework not being targeted at a specific type of noise.

(We have answered all the questions, but due to the maximum length limit can't provide them at this stage)

R1: The baselines.

A1: The two defense methods you mentioned, [1] and [2], are specifically designed for jailbreak scenarios. Results in the table below.

Our method can handle a variety of different attacks and provides a more detailed verification of the defense, enhancing the robustness of chat models by iteratively checking for potential risks and verifying output safety. When modules in our method are simplified or removed, AHP can degrade to either [1] or [2]. Therefore, our results consistently outperform [1] and [2].

R2: Connection.

A2: We have described the connection between the proposed framework and AHP in Introduction Section. The AHP, developed by Thomas L. Saaty, is a decision-making process that uses a multi-level hierarchical structure of objectives, criteria, sub-criteria, and alternatives. The main principle of AHP is that it decomposes a complex problem into a hierarchy of more easily comprehensible sub-problems, each of which can be analyzed independently. In the context of our work, we have adapted the AHP framework to guide the decision-making process of LLMs. The complex task of defending against diverse and potentially malicious inputs is broken down into smaller, more manageable sub-tasks. These sub-tasks are then prioritized and systematically addressed, similar to how the AHP breaks down decision-making into a hierarchy of criteria and alternatives.

R3: Attack[4].

A3: We have supplemented the experiment on [4]. (Due to length limit, see table in response to Reviewer Teap). It can be seen that our method still exhibits strong robustness against this new type of attack. This is because our method is not designed for specific tasks, but rather, it gradually eliminates noise through multiple rounds of understanding language via LLMs, therefore it has good generality.

We highly appreciate your valuable feedback. We hope these answers will help you re-evaluate the rating score of the paper.

R1. Theoretical analysis

A1: We have designed a general framework to cope with various potential adversarial attack risks. Similar to most LLM Agent works, we cannot provide theoretical guarantees. Our contribution is to divide the safety reasoning process into two objectives. The part that ensures safety is designed as multi-round iteration. When one round cannot complete the correction of noise, multi-round iteration can increase the possibility of identifying and correcting the noise. Table 6 shows the number of rounds needed for different models. For scalability on more models and datasets, we used 4 representative large models including llama2 and Chatgpt-3.5 in the experiment, and verified under 3 different attack methods. The experimental results show that there is an improvement in robustness on all models. On the other hand, our reasoning framework is a general framework, not specifically designed for specific noise, so it has good scalability.

R2. Table 1 results

A2: Thank you for your question. The experimental results in Table 1 are mainly due to AHP uses the LLM itself to complete the safety check, which requires the model to have strong semantic understanding capabilities. Therefore, when the language model capabilities are limited, the effect is not obvious. Besides, we verified the effect of using different models as the AHP Engine (Figure 3). When a stronger model is used, our method shows more obvious improvement.

Q1. Instruction design

Answer: Thanks. Generally speaking, it's hard to claim which prompt is optimal. Even for system prompts of LLMs, they are usually hand-crafted. On the other hand, as the instruction-following ability of LLMs increases, the need to search for an optimal prompt becomes less. For the instructions in our method, we conducted iterative manual tuning according to the objectives of each subtask, and finally found a good instruction. The experiment proved that the designed instruction is effective. We cannot guarantee that this is the optimal instruction, but if the optimal one can be found, our method can achieve better results. As for the instructions of the downstream tasks, we have adopted the settings of previous works [1,2] for the sake of experimental consistency.

[1] Wang, Jindong, et al. "On the robustness of chatgpt: An adversarial and out-of-distribution perspective.".2023

[2] Liu, Yi, et al. "Jailbreaking chatgpt via prompt engineering: An empirical study.".2023

We thank the reviewer very much for the acknowledgment of our work and valuable feedback on further improving this work.

R1: The evaluations are based on benchmarking datasets that are released on the web. I am wondering if study considered the test data contamination issues where the LLM models have seen the datasets in their training phases.

A1: Thank you for raising this insightful concern. We have checked the knowledge cut-off dates of the models used in our experiments to avoid data contamination. The cut-off date for Llama2 is September 2022, and for Chatgpt-3.5, it's September 2021. The adversarial samples we used, such as AdvGLUE and GPTFUZZER, were released in November 2021 and October 2023, respectively. The Automatic Gradient Generated samples were dynamically generated. Therefore, we believe that there were no data contamination issues in our experiments. Additionally, we have supplemented our study with the latest attack[1] methods as further verification. (due to max length limit, only gpt-3.5 results are show below)

The results(ASR) above are consistent with the conclusions of our existing experiments. The effectiveness of our method stems from the large language models' understanding of language semantics. Through our designed APH framework, LLMs can autonomously uncover potential risks.

R2: Also, it is also better to include human evaluation besides benchmarking datasets to state the robustness of the proposed framework. Do you have any human evaluation studies to verify the findings?

A2: Thanks. Human evaluation indeed enhances the comprehensiveness of the experiment. In our experiments, we already have attack methods built with manual templates, which can be seen as human verification. The results are shown in Table 2. The experimental results on manual template attacks have proven the effectiveness of the method. For human evaluation of defense process, we have provide case studies in Appendix F.

[1] An LLM can Fool Itself: A Prompt-Based Adversarial Attack, ICLR, 2024