Efficient Detection of LLM-generated Texts with a Bayesian Surrogate Model

Thank you for your valuable and comprehensive review. Below we address the detailed comments and hope that you may find our response satisfactory and raise your score.

Question 1: Constructing the kernel function with BertScore needs also needs to querying the LLM extensively, and that seems also expensive.

We respectfully clarify that the numbers of parameters and FLOPs of BERT-base used for calculating BERTScore are 0.11B and $2.9\*10^{10}$ FLOPs, whereas the GPT-2 for calculating $\log p$ have 1.5B parameters and $3.4\*10^{12}$ FLOPs, and the LLaMA for calculating $\log p$ have 65B parameters and $6\.6*10^{13}$ FLOPs.

Therefore, the query cost of BERTScore is comparatively negligible in the pipeline.

Question 2: Hoping to see the analysis of the impact of the variance and bias on the performance of the method.

Thanks for the constructive comment.

The probabilistic density function $p_\theta$ is deterministic. Thus, the mentioned “variance of the $\log p_\theta$” must be w.r.t. the perturbation distribution $q$. However, as detailed in (Mitchell et al., 2023), only $E_{q(x)} [\log p_\theta (x)]$ connects to the probabilistic curvature, the variance $Var_{q(x)}[\log p_\theta (x)]$ is meaningless.

Instead, as suggested by the reviewer, we should care about the variance of the empirical estimates of $E_{q(x)} [\log p_\theta (x)]$ and $E_{q(x)} [f(x)]$. For the former, the randomness stems from the data sampling process, and its effect is reflected by the error bars in Figure 2. For the latter, the randomness mainly stems from the samples used to assess $f$ at last, because the typical samples are identified in a nearly deterministic way (except for the initialization). As we use 200 samples to assess $f$, the variance caused by this part is minimal.

To evaluate the bias between $E_{q(x)} [\log p_\theta (x)]$ and $E_{q(x)} [f(x)]$, we can regard our current estimation of $E_{q(x)} [f(x)]$ using 200 samples as accurate and also use 200 samples to estimate $E_{q(x)} [\log p_\theta (x)]$. In our experience, the latter can usually lead to a detection AUROC of more than 98%. In comparison, the detection AUROC of the former with only 10 queries to the source LLM is less than 96%. Thus, the bias is significant. However, it is certain that we can reduce such a bias by incorporating more queries to the source LLMs for $E_{q(x)} [f(x)]$. This is echoed by the results in Section 4.1: once including enough queries, using $E_{q(x)} [f(x)]$ can catch up with the performance of using $E_{q(x)} [\log p_\theta (x)]$.

Thanks for your further clarification. We make the following comments:

1. Variance of $\frac{1}{N}\sum_{i=1}^N f(X_i)$.

It is minimal as we set $N=200$ (i.e., use 200 rephrased texts around the original text to compute an average score). We have performed an empirical study regarding this. Using the setting corresponding to the results in Figure 2a, at the query time of 16 for estimating $f$, we compute the variance of $\frac{1}{N}\sum_{i=1}^N f(X_i)$ over 3 runs for 5 randomly selected texts from the dataset and obtain 0.0006, 0.0003, 0.0011, 0.0013, and 0.0011. In comparison, the mean of $\frac{1}{N}\sum_{i=1}^N f(X_i)$ is -2.2376, -2.5655, -2.4450, -2.2474, and -2.5945 respectively. As demonstrated, the mean is orders of magnitude larger than the variance. We will add more detailed results in the revision.

2. Bias of $\frac{1}{N}\sum_{i=1}^N f(X_i)$.

As $\frac{1}{N}\sum_{i=1}^N f(X_i)$ is an unbiased estimator of $\mathbb{E}_{q(x)} f(x)$, we speculate the mentioned bias corresponds to the gap between

$\frac{1}{N} \sum_{i=1}^N f(X_i)$ and $\frac{1}{N}\sum_{i=1}^N \log p_\theta (X_i)$.

In our experience, using $200$ samples to estimate the latter usually leads to a detection AUROC of more than 98%. In comparison, the detection AUROC of the former with 10 queries to the source LLM $p_\theta$ for estimating $f$ is less than 96%. Thus, the bias is significant. However, it is certain that we can reduce such a bias by incorporating more queries to the source LLMs for estimating the function $f$. This is echoed by the results in Section 4.1: once including enough queries for estimating $f$, using $\frac{1}{N} \sum_{i=1}^N f(X_i)$ can catch up with the performance of using $\frac{1}{N}\sum_{i=1}^N \log p_\theta (X_i)$.

Thank you for your constructive comments. Below we address the detailed comments and hope that you may find our response satisfactory and raise your score.

Question 1: Limited open-source LLMs considered, lack of trends with respect to parameter size and analysis on black-box models.

Thanks. We first clarify that our existing experiment settings align with DetectGPT (Mitchell et al., 2023). Our current empirical comparisons are fair, having proven our contribution to improving the query efficiency of log-curvature-based LLM-generated text detection. As acknowledged by Reviewer 5xFn, our method “show clear performance improvements over DetectGPT”, and by Reviewer 2wLg, our method ”maintain high prediction performance”. So, we clarify that the lack of the mentioned experiments is not a fundamental limitation of this paper.

Besides, LLaMA-65B is not a trivial LLM, as shown in (LLaMA 2 paper, Table 3), LLaMA-65B can consistently beat LLaMA 2 of 7B, 13B, and 34B across a series of benchmarks (e.g., Commonsense Reasoning, World Knowledge, Reading Comprehension, Math, MMLU, BBH, AGI Eval). As the community of LLM is developing very rapidly, we don’t have enough energy to catch up with all the recent models and undertake a comprehensive evaluation across many more LLMs: for example, Llama-2, Guanaco, Vicuna, Falcon, MPT, ChatGLM, etc.

Comparing the results on LLaMA-65B to those on GPT-2, we can see that detecting larger or more advanced models is more challenging for both DetectGPT and our method. This implies that more queries are needed to complete the detection on LLM with a high parameter size. To further verify these claims, we have started a set of experiments with the series of LLaMA models on the XSum dataset and will offer the corresponding results in subsequent updates (if the running finishes before the end of the rebuttal period) or the final version.

As for black-box detection, our cross-evaluation is sufficient to demonstrate that our method outperforms DetectGPT in black-box scenarios, using the same setting as the DetectGPT paper. We will experiment with the mentioned API-based black-box models in the next version.

Question 2: Overall Lack of Experimental Rigor

We totally understand your concern. However, we argue that it is just a case study to prove the convergence trend of our method. The main focus of our method is still the low-budget regime, where our results are from multiple random runs and are statistically rigorous. We will revise the paper to clarify this point.

Question 3: Many typos and grammatical errors

Thanks for pointing out this, and we have revised the paper accordingly.

Thank you for your patience regarding the results of the LLaMA2 series. Below, you will find the results for XSum:

Due to time constraints, we only experimented with up to 15 queries to the source LLM. As shown, both DetectGPT and our method exhibit lower detection AUROC scores as the model size increases. However, our method, using 10 queries, outperforms the DetectGPT baseline using 15 queries. This demonstrates the query efficiency of our method in the LLaMA2 case. It is also worth noting that the LLaMA2 models are indeed more challenging to detect compared to GPT-2.

In the next version, we will investigate if allocating a higher query budget and employing a stronger perturbation model can yield improved AUROC scores. We will also strengthen our cross evaluation of the black-box models. We thank the reviewer again for the constructive feedback!

Best

Dear reviewer 59P9,

As the discussion session draws to a close, we would like to inquire if there are any additional comments or clarifications you would like to make. We are more than willing to provide responses to any inquiries and address any feedback you may have.

Thank you for your time and consideration!

We appreciate the reviewer for the positive feedback and the acknowledgment that our method is simple and effective. Below we address the detailed concerns.

Question 1: Regarding other baselines

Thanks for the comment. As stated in the first paragraph of Section 4, we mainly compare our method to DetectGPT (Mitchell et al., 2023) because (i) both works adopt the same detection measure (probability curvature), and (ii) DetectGPT has proven to defeat prior zero-shot and supervised methods consistently. We recently noted some concurrent works [1, 2] and will add discussions and/or empirical comparisons with them in the final version.

References:

[1] Guo, Biyang, et al. "How close is chatgpt to human experts? comparison corpus, evaluation, and detection." arXiv preprint arXiv:2301.07597 (2023).

[2] Bao et al. “Fastdetectgpt: Efficient zero-shot detection of machinegenerated text via conditional probability curvature.” arXiv preprint arXiv:2310.05130(2023)

Question 2: Why not have results similar to Detect GPT? The numbers in their paper and here dont match up.

Thanks. As our main contribution is to improve the query efficiency of probability curvature-based detectors like DetectGPT, we are primarily concerned with detecting under a low query budget (stated in the first paragraph of Section 4). We also admit that our method would perform similarly to DetectGPT if queries to the source model can be numerous.

Regarding the numbers, those in the paper of DetectGPT correspond to a query number of 1000, while those in our paper correspond to 1-15 query times.

The reported numbers prove that the effectiveness of DetectGPT is significantly reduced at a low query budget, and our method addresses this issue.

Question 3: What is the performance like if you used some other model that is not GP as surrogate?

Thanks for the suggestion. However, we would like to clarify that the specification of the mentioned other model is non-trivial. As stated in Sec 3.3, the surrogate model f is expected to be trained in the low-data regime while being expressive enough to handle non-trivial local curvature and not prone to overfitting. Additionally, the model should inherently incorporate mechanisms for typical sample selection. Thus, we choose the GP and speculate that parametric models like NNs may not be applicable here. We will continue to explore other choices, such as neural processes and implicit processes, in future work.

Question 4: Did you look result if you used a encoder model as classifier and trained a bit as its easy to generate the data for this?

Thanks for the question. We would like to clarify some key points: 1) The DetectGPT paper has already demonstrated that the original DetectGPT outperforms the RoBERTa encoder-based classifier. Given our superior performance compared to DetectGPT, it can be inferred that our model would also outperform RoBERTa at higher query numbers. 2) Supervised detectors are often susceptible to biases from training data and entail higher training costs. In contrast, our method can better generalize and is training-free.